svn commit: r332329 - stable/11/sys/net

[Brooks Davis]

Author: brooks
Date: Mon Apr  9 15:21:40 2018
New Revision: 332329
URL: https://svnweb.freebsd.org/changeset/base/332329

Log:
  MFC r332151:
  
  ifconf(): correct handling of sockaddrs smaller than struct sockaddr.
  
  Portable programs that use SIOCGIFCONF (e.g. traceroute) assume
  that each pseudo ifreq is of length MAX(sizeof(struct ifreq),
  sizeof(ifr_name) + ifr_addr.sa_len).  For short sockaddrs we copied
  too much from the source sockaddr resulting in a heap leak.
  
  I believe only one such sockaddr exists (struct sockaddr_sco which
  is 8 bytes) and it is unclear if such sockaddrs end up on interfaces
  in practice.  If it did, the result would be an 8 byte heap leak on
  current architectures.
  
  admbugs:	869
  Reviewed by:	kib
  Obtained from:	CheriBSD
  Security:	kernel heap leak
  Sponsored by:	DARPA, AFRL
  Differential Revision:	https://reviews.freebsd.org/D14981

Modified:
  stable/11/sys/net/if.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/net/if.c
==============================================================================
--- stable/11/sys/net/if.c	Mon Apr  9 15:11:17 2018	(r332328)
+++ stable/11/sys/net/if.c	Mon Apr  9 15:21:40 2018	(r332329)
@@ -3153,7 +3153,13 @@ again:
 				max_len += sizeof(ifr);
 			} else
 			if (sa->sa_len <= sizeof(*sa)) {
-				ifr.ifr_addr = *sa;
+				if (sa->sa_len < sizeof(*sa)) {
+					memset(&ifr.ifr_ifru.ifru_addr, 0,
+					    sizeof(ifr.ifr_ifru.ifru_addr));
+					memcpy(&ifr.ifr_ifru.ifru_addr, sa,
+					    sa->sa_len);
+				} else
+					ifr.ifr_ifru.ifru_addr = *sa;
 				sbuf_bcat(sb, &ifr, sizeof(ifr));
 				max_len += sizeof(ifr);
 			} else {