shithub: riscv

Download patch

ref: 66719fb3ea15351f8860cc6696993357a60ab238
parent: 7d45ee4f6adc378fb6244c73abe8e46fe636beae
author: cinap_lenrek <[email protected]>
date: Thu May 5 14:54:58 EDT 2016

kernel: fix cb->f[0] nil dereferences due to short control request

--- a/sys/src/9/ip/iproute.c
+++ b/sys/src/9/ip/iproute.c
@@ -797,7 +797,8 @@
 		free(cb);
 		nexterror();
 	}
-
+	if(cb->nf < 1)
+		error("short control request");
 	if(strcmp(cb->f[0], "flush") == 0){
 		tag = cb->f[1];
 		for(h = 0; h < nelem(f->v4root); h++)
@@ -846,7 +847,8 @@
 		na = newipaux(a->owner, cb->f[1]);
 		c->aux = na;
 		free(a);
-	}
+	} else
+		error(Ebadctl);
 
 	poperror();
 	free(cb);
--- a/sys/src/9/port/devsegment.c
+++ b/sys/src/9/port/devsegment.c
@@ -313,7 +313,7 @@
 			free(cb);
 			nexterror();
 		}
-		if(strcmp(cb->f[0], "va") == 0){
+		if(cb->nf > 0 && strcmp(cb->f[0], "va") == 0){
 			if(g->s != nil)
 				error("already has a virtual address");
 			if(cb->nf < 3)
--- a/sys/src/9/port/devusb.c
+++ b/sys/src/9/port/devusb.c
@@ -1124,8 +1124,6 @@
 		nexterror();
 	}
 	ct = lookupcmd(cb, epctls, nelem(epctls));
-	if(ct == nil)
-		error(Ebadctl);
 	i = ct->index;
 	if(i == CMnew || i == CMspeed || i == CMhub || i == CMpreset)
 		if(ep != ep->ep0)
--- a/sys/src/9/port/led.c
+++ b/sys/src/9/port/led.c
@@ -53,7 +53,7 @@
 	Cmdbuf *cb;
 
 	cb = parsecmd(a, n);
-	i = name2led(cb->f[0]);
+	i = cb->nf < 1 ? -1 : name2led(cb->f[0]);
 	free(cb);
 	if(i == -1)
 		error(Ebadarg);