From c7be66d1904c2bc85c73040d0b98529bd9ad5a92 Mon Sep 17 00:00:00 2001
From: Colin Percival <cperciva@FreeBSD.org>
Date: Fri, 6 May 2005 02:40:32 +0000
Subject: Correctly validate inputs to the i386_get_ldt syscall.

Security: FreeBSD-SA-05:07.ldt
Approved by: so (cperciva)
---
 sys/i386/i386/sys_machdep.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

(limited to 'sys/i386/i386/sys_machdep.c')

diff --git a/sys/i386/i386/sys_machdep.c b/sys/i386/i386/sys_machdep.c
index f87e333cbf88..a9dcf48254a3 100644
--- a/sys/i386/i386/sys_machdep.c
+++ b/sys/i386/i386/sys_machdep.c
@@ -342,10 +342,6 @@ i386_get_ldt(p, args)
 	    uap->start, uap->num, (void *)uap->descs);
 #endif
 
-	/* verify range of LDTs exist */
-	if ((uap->start < 0) || (uap->num <= 0))
-		return(EINVAL);
-
 	s = splhigh();
 
 	if (pcb_ldt) {
@@ -357,7 +353,10 @@ i386_get_ldt(p, args)
 		num = min(uap->num, nldt);
 		lp = &ldt[uap->start];
 	}
-	if (uap->start + num > nldt) {
+
+	if ((uap->start > (unsigned int)nldt) ||
+	    ((unsigned int)num > (unsigned int)nldt) ||
+	    ((unsigned int)(uap->start + num) > (unsigned int)nldt)) {
 		splx(s);
 		return(EINVAL);
 	}
-- 
cgit v1.2.3