ref: 66719fb3ea15351f8860cc6696993357a60ab238
parent: 7d45ee4f6adc378fb6244c73abe8e46fe636beae
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Thu May 5 14:54:58 EDT 2016
kernel: fix cb->f[0] nil dereferences due to short control request
--- a/sys/src/9/ip/iproute.c
+++ b/sys/src/9/ip/iproute.c
@@ -797,7 +797,8 @@
free(cb);
nexterror();
}
-
+ if(cb->nf < 1)
+ error("short control request"); if(strcmp(cb->f[0], "flush") == 0){tag = cb->f[1];
for(h = 0; h < nelem(f->v4root); h++)
@@ -846,7 +847,8 @@
na = newipaux(a->owner, cb->f[1]);
c->aux = na;
free(a);
- }
+ } else
+ error(Ebadctl);
poperror();
free(cb);
--- a/sys/src/9/port/devsegment.c
+++ b/sys/src/9/port/devsegment.c
@@ -313,7 +313,7 @@
free(cb);
nexterror();
}
- if(strcmp(cb->f[0], "va") == 0){+ if(cb->nf > 0 && strcmp(cb->f[0], "va") == 0){if(g->s != nil)
error("already has a virtual address");if(cb->nf < 3)
--- a/sys/src/9/port/devusb.c
+++ b/sys/src/9/port/devusb.c
@@ -1124,8 +1124,6 @@
nexterror();
}
ct = lookupcmd(cb, epctls, nelem(epctls));
- if(ct == nil)
- error(Ebadctl);
i = ct->index;
if(i == CMnew || i == CMspeed || i == CMhub || i == CMpreset)
if(ep != ep->ep0)
--- a/sys/src/9/port/led.c
+++ b/sys/src/9/port/led.c
@@ -53,7 +53,7 @@
Cmdbuf *cb;
cb = parsecmd(a, n);
- i = name2led(cb->f[0]);
+ i = cb->nf < 1 ? -1 : name2led(cb->f[0]);
free(cb);
if(i == -1)
error(Ebadarg);