From: David Rhodus <drhodus@dragonflybsd.org>
Date: Mon, 11 Aug 2003 17:50:15 +0000 (+0000)
Subject: Add or correct range checking of signal numbers in system calls and
X-Git-Tag: v2.0.1~13113
X-Git-Url: https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff_plain/d82eda3e53c7ea1931b2164c3c0e3a91cf6c7e50

Add or correct range checking of signal numbers in system calls and
ioctls.
---

diff --git a/sys/dev/misc/spigot/spigot.c b/sys/dev/misc/spigot/spigot.c
index 2bae5b459e..8b722a80da 100644
--- a/sys/dev/misc/spigot/spigot.c
+++ b/sys/dev/misc/spigot/spigot.c
@@ -43,7 +43,7 @@
  * Version 1.7, December 1995.
  *
  * $FreeBSD: src/sys/i386/isa/spigot.c,v 1.44 2000/01/29 16:17:36 peter Exp $
- * $DragonFly: src/sys/dev/misc/spigot/spigot.c,v 1.6 2003/08/07 21:16:58 dillon Exp $
+ * $DragonFly: src/sys/dev/misc/spigot/spigot.c,v 1.7 2003/08/11 17:50:15 drhodus Exp $
  *
  */
 
@@ -224,6 +224,8 @@ struct	spigot_info	*info;
 	if(!data) return(EINVAL);
 	switch(cmd){
 	case	SPIGOT_SETINT:
+		if (*(int *)data < 0 || *(int *)data > _SIG_MAXSIG)
+			return (EINVAL);
 		ss->p = td->td_proc;
 		ss->signal_num = *((int *)data);
 		break;
diff --git a/sys/dev/video/bktr/bktr_core.c b/sys/dev/video/bktr/bktr_core.c
index 60a5f6057a..a2aa0f5fa5 100644
--- a/sys/dev/video/bktr/bktr_core.c
+++ b/sys/dev/video/bktr/bktr_core.c
@@ -1,5 +1,5 @@
 /* $FreeBSD: src/sys/dev/bktr/bktr_core.c,v 1.103.2.4 2000/11/01 09:36:14 roger Exp $ */
-/* $DragonFly: src/sys/dev/video/bktr/bktr_core.c,v 1.6 2003/08/11 17:30:31 drhodus Exp $ */
+/* $DragonFly: src/sys/dev/video/bktr/bktr_core.c,v 1.7 2003/08/11 17:50:15 drhodus Exp $ */
 
 /*
  * This is part of the Driver for Video Capture Cards (Frame grabbers)
@@ -1544,7 +1544,7 @@ video_ioctl( bktr_ptr_t bktr, int unit, ioctl_cmd_t cmd, caddr_t arg, struct thr
 		break;
 
 	case METEORSSIGNAL:
-		if(*(int *)arg == 0 || *(int *)arg >= NSIG) {
+		if(*(int *)arg <= 0 || *(int *)arg > _SIG_MAXSIG) {
 			return( EINVAL );
 			break;
 		}
diff --git a/sys/dev/video/meteor/meteor.c b/sys/dev/video/meteor/meteor.c
index 0575512f1d..8760b94827 100644
--- a/sys/dev/video/meteor/meteor.c
+++ b/sys/dev/video/meteor/meteor.c
@@ -29,7 +29,7 @@
  * POSSIBILITY OF SUCH DAMAGE.
  *
  * $FreeBSD: src/sys/pci/meteor.c,v 1.49 1999/09/25 18:24:41 phk Exp $
- * $DragonFly: src/sys/dev/video/meteor/meteor.c,v 1.7 2003/08/07 21:17:16 dillon Exp $
+ * $DragonFly: src/sys/dev/video/meteor/meteor.c,v 1.8 2003/08/11 17:50:15 drhodus Exp $
  */
 
 /*		Change History:
@@ -1387,6 +1387,8 @@ meteor_ioctl(dev_t dev, u_long cmd, caddr_t arg, int flag, struct thread *td)
 		*(u_short *)arg = mtr->fps;
 		break;
 	case METEORSSIGNAL:
+		if (*(int *)arg < 0 || *(int *)arg > _SIG_MAXSIG)
+			return EINVAL;
 		mtr->signal = *(int *) arg;
 		if (mtr->signal) {
 		  mtr->proc = td->td_proc;	/* might be NULL */