diff options
| author | cinap_lenrek <cinap_lenrek@felloff.net> | 2016-05-05 18:54:58 +0200 |
|---|---|---|
| committer | cinap_lenrek <cinap_lenrek@felloff.net> | 2016-05-05 18:54:58 +0200 |
| commit | 66719fb3ea15351f8860cc6696993357a60ab238 (patch) | |
| tree | 83e865384531ef9557bd5faf5be4d31d9592e08b /sys/src/9 | |
| parent | 7d45ee4f6adc378fb6244c73abe8e46fe636beae (diff) | |
kernel: fix cb->f[0] nil dereferences due to short control request
Diffstat (limited to 'sys/src/9')
| -rw-r--r-- | sys/src/9/ip/iproute.c | 6 | ||||
| -rw-r--r-- | sys/src/9/port/devsegment.c | 2 | ||||
| -rw-r--r-- | sys/src/9/port/devusb.c | 2 | ||||
| -rw-r--r-- | sys/src/9/port/led.c | 2 |
4 files changed, 6 insertions, 6 deletions
diff --git a/sys/src/9/ip/iproute.c b/sys/src/9/ip/iproute.c index 53e3da988..518950309 100644 --- a/sys/src/9/ip/iproute.c +++ b/sys/src/9/ip/iproute.c @@ -797,7 +797,8 @@ routewrite(Fs *f, Chan *c, char *p, int n) free(cb); nexterror(); } - + if(cb->nf < 1) + error("short control request"); if(strcmp(cb->f[0], "flush") == 0){ tag = cb->f[1]; for(h = 0; h < nelem(f->v4root); h++) @@ -846,7 +847,8 @@ routewrite(Fs *f, Chan *c, char *p, int n) na = newipaux(a->owner, cb->f[1]); c->aux = na; free(a); - } + } else + error(Ebadctl); poperror(); free(cb); diff --git a/sys/src/9/port/devsegment.c b/sys/src/9/port/devsegment.c index 4f0e6664d..033affb6d 100644 --- a/sys/src/9/port/devsegment.c +++ b/sys/src/9/port/devsegment.c @@ -313,7 +313,7 @@ segmentwrite(Chan *c, void *a, long n, vlong voff) free(cb); nexterror(); } - if(strcmp(cb->f[0], "va") == 0){ + if(cb->nf > 0 && strcmp(cb->f[0], "va") == 0){ if(g->s != nil) error("already has a virtual address"); if(cb->nf < 3) diff --git a/sys/src/9/port/devusb.c b/sys/src/9/port/devusb.c index e896af1bc..d24c37b42 100644 --- a/sys/src/9/port/devusb.c +++ b/sys/src/9/port/devusb.c @@ -1124,8 +1124,6 @@ epctl(Ep *ep, Chan *c, void *a, long n) nexterror(); } ct = lookupcmd(cb, epctls, nelem(epctls)); - if(ct == nil) - error(Ebadctl); i = ct->index; if(i == CMnew || i == CMspeed || i == CMhub || i == CMpreset) if(ep != ep->ep0) diff --git a/sys/src/9/port/led.c b/sys/src/9/port/led.c index 8456d32cc..57b6e8104 100644 --- a/sys/src/9/port/led.c +++ b/sys/src/9/port/led.c @@ -53,7 +53,7 @@ ledw(Ledport *p, Chan*, void *a, long n, vlong) Cmdbuf *cb; cb = parsecmd(a, n); - i = name2led(cb->f[0]); + i = cb->nf < 1 ? -1 : name2led(cb->f[0]); free(cb); if(i == -1) error(Ebadarg); |