Don't directly dereference userland pointer; instead use kernel pointer

copied in from userspace. This fixes instant panic when creating CTL LUN on sparc64. Not a security problem, since the API is root-only. Reviewed by: ken Sponsored by: FreeBSD Foundation
svn path=/head/; revision=249026
2024-10-19 14:54:24 +00:00 · 2013-04-02 16:50:50 +00:00 · 2013-04-02 16:50:50 +00:00 · 9eef3375ce · 2020-12-20 02:59:44 +00:00
parent a358cf3aec
commit 9eef3375ce
1 changed files with 4 additions and 4 deletions
--- a/sys/cam/ctl/ctl_backend_block.c
+++ b/sys/cam/ctl/ctl_backend_block.c
@ -1658,7 +1658,7 @@ ctl_be_block_create(struct ctl_be_block_softc *softc, struct ctl_lun_req *req)

 	if (be_lun->ctl_be_lun.lun_type == T_DIRECT) {
 		for (i = 0; i < req->num_be_args; i++) {
-			if (strcmp(req->kern_be_args[i].name, "file") == 0) {
+			if (strcmp(req->kern_be_args[i].kname, "file") == 0) {
 				file_arg = &req->kern_be_args[i];
 				break;
 			}
@ -1673,7 +1673,7 @@ ctl_be_block_create(struct ctl_be_block_softc *softc, struct ctl_lun_req *req)
 		be_lun->dev_path = malloc(file_arg->vallen, M_CTLBLK,
 					  M_WAITOK | M_ZERO);

-		strlcpy(be_lun->dev_path, (char *)file_arg->value,
+		strlcpy(be_lun->dev_path, (char *)file_arg->kvalue,
 			file_arg->vallen);

 		retval = ctl_be_block_open(softc, be_lun, req);
@ -1712,7 +1712,7 @@ ctl_be_block_create(struct ctl_be_block_softc *softc, struct ctl_lun_req *req)
 	 * the loop above,
 	 */
 	for (i = 0; i < req->num_be_args; i++) {
-		if (strcmp(req->kern_be_args[i].name, "num_threads") == 0) {
+		if (strcmp(req->kern_be_args[i].kname, "num_threads") == 0) {
 			struct ctl_be_arg *thread_arg;
 			char num_thread_str[16];
 			int tmp_num_threads;
@ -1720,7 +1720,7 @@ ctl_be_block_create(struct ctl_be_block_softc *softc, struct ctl_lun_req *req)

 			thread_arg = &req->kern_be_args[i];

-			strlcpy(num_thread_str, (char *)thread_arg->value,
+			strlcpy(num_thread_str, (char *)thread_arg->kvalue,
 				min(thread_arg->vallen,
 				sizeof(num_thread_str)));