X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/378393581903b274cb7a4d18e0d978071a6b592d..8f6c56a50524aa785f7e596d52dddfb331e18961:/bsd/ufs/ffs/ffs_vfsops.c diff --git a/bsd/ufs/ffs/ffs_vfsops.c b/bsd/ufs/ffs/ffs_vfsops.c index 06d21d70a..a9e787a49 100644 --- a/bsd/ufs/ffs/ffs_vfsops.c +++ b/bsd/ufs/ffs/ffs_vfsops.c @@ -1,23 +1,29 @@ /* * Copyright (c) 2000-2004 Apple Computer, Inc. All rights reserved. * - * @APPLE_LICENSE_HEADER_START@ + * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * - * The contents of this file constitute Original Code as defined in and - * are subject to the Apple Public Source License Version 1.1 (the - * "License"). You may not use this file except in compliance with the - * License. Please obtain a copy of the License at - * http://www.apple.com/publicsource and read it before using this file. + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. The rights granted to you under the License + * may not be used to create, or enable the creation or redistribution of, + * unlawful or unlicensed copies of an Apple operating system, or to + * circumvent, violate, or enable the circumvention or violation of, any + * terms of an Apple operating system software license agreement. * - * This Original Code and all software distributed under the License are - * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the - * License for the specific language governing rights and limitations - * under the License. + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. * - * @APPLE_LICENSE_HEADER_END@ + * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ */ /* Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved */ /* @@ -353,7 +359,11 @@ ffs_reload(struct mount *mountp, kauth_cred_t cred, struct proc *p) newfs = (struct fs *)buf_dataptr(bp); #if REV_ENDIAN_FS if (rev_endian) { - byte_swap_sbin(newfs); + error = byte_swap_sbin(newfs); + if (error) { + buf_brelse(bp); + return (error); + } } #endif /* REV_ENDIAN_FS */ if (newfs->fs_magic != FS_MAGIC || newfs->fs_bsize > MAXBSIZE || @@ -502,7 +512,9 @@ ffs_mountfs(devvp, mp, context) error = EINVAL; goto out; } - byte_swap_sbin(fs); + if (error = byte_swap_sbin(fs)) + goto out; + if (fs->fs_magic != FS_MAGIC || fs->fs_bsize > MAXBSIZE || fs->fs_bsize < sizeof(struct fs)) { byte_swap_sbout(fs); @@ -522,6 +534,14 @@ ffs_mountfs(devvp, mp, context) goto out; } + if (fs->fs_sbsize < 0 || fs->fs_sbsize > SBSIZE) { + error = EINVAL; + goto out; + } + + /* + * Buffer cache does not handle multiple pages in a buf when + /* * Buffer cache does not handle multiple pages in a buf when @@ -631,10 +651,28 @@ ffs_mountfs(devvp, mp, context) bp = NULL; fs = ump->um_fs; fs->fs_ronly = ronly; + if (fs->fs_cssize < 1 || fs->fs_fsize < 1 || fs->fs_ncg < 1) { + error = EINVAL; + goto out; + } + if (fs->fs_frag < 1 || fs->fs_frag > MAXFRAG) { + error = EINVAL; + goto out; + } + size = fs->fs_cssize; blks = howmany(size, fs->fs_fsize); - if (fs->fs_contigsumsize > 0) + if (fs->fs_contigsumsize > 0) { + if (fs->fs_ncg > INT_MAX / sizeof(int32_t) || size > INT_MAX - fs->fs_ncg * sizeof(int32_t)) { + error = EINVAL; + goto out; + } size += fs->fs_ncg * sizeof(int32_t); + } + if (fs->fs_ncg > INT_MAX / sizeof(u_int8_t) || size > INT_MAX - fs->fs_ncg * sizeof(u_int8_t)) { + error = EINVAL; + goto out; + } size += fs->fs_ncg * sizeof(u_int8_t); space = _MALLOC((u_long)size, M_UFSMNT, M_WAITOK); fs->fs_csp = space;