DragonFlyBSD Kernel Audit
DF-0003 / fix.diff
← back to finding ↓ download raw
diff --git a/sys/kern/subr_bus.c b/sys/kern/subr_bus.c
index d33631d0..0000000 100644
--- a/sys/kern/subr_bus.c
+++ b/sys/kern/subr_bus.c
@@ -1066,6 +1066,13 @@
 {
 	int unit = *unitp;
 
+	/* Only -1 is a legal wildcard; any other negative unit would
+	 * bypass the existing-device and table-extension checks below
+	 * and be returned unchanged, causing dc->devices[dev->unit] in
+	 * devclass_add_device() to write out of bounds. */
+	if (unit < -1)
+		return (EINVAL);
+
 	PDEBUG(("unit %d in devclass %s", unit, DEVCLANAME(dc)));
 
 	/* If we have been given a wired unit number, check for existing device */
@@ -2168,6 +2175,11 @@
 	devclass_t dc;
 	int err;
 
+	/* A negative unit would make `unit < dc->maxunit' below TRUE and
+	 * read dc->devices[] out of bounds; reject it. */
+	if (unit < 0)
+		return (EINVAL);
+
 	dc = device_get_devclass(dev);
 	if (unit < dc->maxunit && dc->devices[unit])
 		return(EBUSY);