X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/8ad349bb6ed4a0be06e34c92be0d98b92e078db4..8f6c56a50524aa785f7e596d52dddfb331e18961:/bsd/ufs/ffs/ffs_vfsops.c

diff --git a/bsd/ufs/ffs/ffs_vfsops.c b/bsd/ufs/ffs/ffs_vfsops.c
index 1a336022c..a9e787a49 100644
--- a/bsd/ufs/ffs/ffs_vfsops.c
+++ b/bsd/ufs/ffs/ffs_vfsops.c
@@ -1,31 +1,29 @@
 /*
- * Copyright (c) 2006 Apple Computer, Inc. All Rights Reserved.
+ * Copyright (c) 2000-2004 Apple Computer, Inc. All rights reserved.
+ *
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  * 
- * @APPLE_LICENSE_OSREFERENCE_HEADER_START@
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. The rights granted to you under the License
+ * may not be used to create, or enable the creation or redistribution of,
+ * unlawful or unlicensed copies of an Apple operating system, or to
+ * circumvent, violate, or enable the circumvention or violation of, any
+ * terms of an Apple operating system software license agreement.
  * 
- * This file contains Original Code and/or Modifications of Original Code 
- * as defined in and that are subject to the Apple Public Source License 
- * Version 2.0 (the 'License'). You may not use this file except in 
- * compliance with the License.  The rights granted to you under the 
- * License may not be used to create, or enable the creation or 
- * redistribution of, unlawful or unlicensed copies of an Apple operating 
- * system, or to circumvent, violate, or enable the circumvention or 
- * violation of, any terms of an Apple operating system software license 
- * agreement.
- *
- * Please obtain a copy of the License at 
- * http://www.opensource.apple.com/apsl/ and read it before using this 
- * file.
- *
- * The Original Code and all software distributed under the License are 
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 
- * Please see the License for the specific language governing rights and 
+ * Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this file.
+ * 
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
  * limitations under the License.
- *
- * @APPLE_LICENSE_OSREFERENCE_HEADER_END@
+ * 
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
  */
 /* Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved */
 /*
@@ -361,7 +359,11 @@ ffs_reload(struct mount *mountp, kauth_cred_t cred, struct proc *p)
 	newfs = (struct fs *)buf_dataptr(bp);
 #if REV_ENDIAN_FS
 	if (rev_endian) {
-		byte_swap_sbin(newfs);
+		error = byte_swap_sbin(newfs);
+		if (error) {
+			buf_brelse(bp);
+			return (error);
+		}
 	}
 #endif /* REV_ENDIAN_FS */
 	if (newfs->fs_magic != FS_MAGIC || newfs->fs_bsize > MAXBSIZE ||
@@ -510,7 +512,9 @@ ffs_mountfs(devvp, mp, context)
 			error = EINVAL;
 			goto out;
 	    	}
-		byte_swap_sbin(fs);
+		if (error = byte_swap_sbin(fs))
+			goto out;
+
 		if (fs->fs_magic != FS_MAGIC || fs->fs_bsize > MAXBSIZE ||
 	    		fs->fs_bsize < sizeof(struct fs)) {
 			byte_swap_sbout(fs);
@@ -530,6 +534,14 @@ ffs_mountfs(devvp, mp, context)
 		goto out;
 	}
 
+	if (fs->fs_sbsize < 0 || fs->fs_sbsize > SBSIZE) {
+		error = EINVAL;
+		goto out;
+	}
+ 
+        /*
+         * Buffer cache does not handle multiple pages in a buf when
+
 
 	/*
 	 * Buffer cache does not handle multiple pages in a buf when
@@ -639,10 +651,28 @@ ffs_mountfs(devvp, mp, context)
 	bp = NULL;
 	fs = ump->um_fs;
 	fs->fs_ronly = ronly;
+	if (fs->fs_cssize < 1 || fs->fs_fsize < 1 || fs->fs_ncg < 1) {
+		error = EINVAL;
+		goto out;
+	}
+	if (fs->fs_frag < 1 || fs->fs_frag > MAXFRAG) {
+		error = EINVAL;
+		goto out;
+	}
+
 	size = fs->fs_cssize;
 	blks = howmany(size, fs->fs_fsize);
-	if (fs->fs_contigsumsize > 0)
+	if (fs->fs_contigsumsize > 0) {
+		if (fs->fs_ncg > INT_MAX / sizeof(int32_t) || size > INT_MAX - fs->fs_ncg * sizeof(int32_t)) {
+			error = EINVAL;
+			goto out;
+		}
 		size += fs->fs_ncg * sizeof(int32_t);
+	}
+	if (fs->fs_ncg > INT_MAX / sizeof(u_int8_t) || size > INT_MAX - fs->fs_ncg * sizeof(u_int8_t)) {
+		error = EINVAL;
+		goto out;
+	}
 	size += fs->fs_ncg * sizeof(u_int8_t);
 	space = _MALLOC((u_long)size, M_UFSMNT, M_WAITOK);
 	fs->fs_csp = space;