diff --git a/sys/kern/subr_bus.c b/sys/kern/subr_bus.c index d33631d0..0000000 100644 --- a/sys/kern/subr_bus.c +++ b/sys/kern/subr_bus.c @@ -1066,6 +1066,13 @@ { int unit = *unitp; + /* Only -1 is a legal wildcard; any other negative unit would + * bypass the existing-device and table-extension checks below + * and be returned unchanged, causing dc->devices[dev->unit] in + * devclass_add_device() to write out of bounds. */ + if (unit < -1) + return (EINVAL); + PDEBUG(("unit %d in devclass %s", unit, DEVCLANAME(dc))); /* If we have been given a wired unit number, check for existing device */ @@ -2168,6 +2175,11 @@ devclass_t dc; int err; + /* A negative unit would make `unit < dc->maxunit' below TRUE and + * read dc->devices[] out of bounds; reject it. */ + if (unit < 0) + return (EINVAL); + dc = device_get_devclass(dev); if (unit < dc->maxunit && dc->devices[unit]) return(EBUSY);