HomeFreeBSD

sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*

Description

sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*

SNDSTIOC_ADD_USER_DEVS* expects a user-supplied sndstioc_nv_arg->nbytes,
however we currently do not check whether this size is actually valid,
which results in a panic when SNDSTIOC_ADD_USER_DEVS* is called with an
invalid size. sndstat_add_user_devs() calls
sndstat_unpack_user_nvlbuf(), which then calls malloc() with that size.

PR: 266142
Sponsored by: The FreeBSD Foundation
MFC after: 1 day
Reviewed by: brooks
Differential Revision: https://reviews.freebsd.org/D45236

Details

Provenance
christosAuthored on May 20 2024, 2:18 PM
Reviewer
brooks
Differential Revision
D45236: sound: Check user-supplied size passed to SNDSTIOC_ADD_USER_DEVS*
Parents
rG5d1a5d6f1f59: sound: Prevent uninitialized variable destruction in chn_init()
Branches
Unknown
Tags
Unknown