svn commit: r332332 - stable/10/sys/net
Brooks Davis
brooks at FreeBSD.org
Mon Apr 9 16:32:50 UTC 2018
Author: brooks
Date: Mon Apr 9 16:32:49 2018
New Revision: 332332
URL: https://svnweb.freebsd.org/changeset/base/332332
Log:
MFC r332151:
ifconf(): correct handling of sockaddrs smaller than struct sockaddr.
Portable programs that use SIOCGIFCONF (e.g. traceroute) assume
that each pseudo ifreq is of length MAX(sizeof(struct ifreq),
sizeof(ifr_name) + ifr_addr.sa_len). For short sockaddrs we copied
too much from the source sockaddr resulting in a heap leak.
I believe only one such sockaddr exists (struct sockaddr_sco which
is 8 bytes) and it is unclear if such sockaddrs end up on interfaces
in practice. If it did, the result would be an 8 byte heap leak on
current architectures.
admbugs: 869
Reviewed by: kib
Obtained from: CheriBSD
Security: kernel heap leak
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D14981
Modified:
stable/10/sys/net/if.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/sys/net/if.c
==============================================================================
--- stable/10/sys/net/if.c Mon Apr 9 16:18:02 2018 (r332331)
+++ stable/10/sys/net/if.c Mon Apr 9 16:32:49 2018 (r332332)
@@ -3055,7 +3055,13 @@ again:
} else
#endif
if (sa->sa_len <= sizeof(*sa)) {
- ifr.ifr_addr = *sa;
+ if (sa->sa_len < sizeof(*sa)) {
+ memset(&ifr.ifr_ifru.ifru_addr, 0,
+ sizeof(ifr.ifr_ifru.ifru_addr));
+ memcpy(&ifr.ifr_ifru.ifru_addr, sa,
+ sa->sa_len);
+ } else
+ ifr.ifr_ifru.ifru_addr = *sa;
sbuf_bcat(sb, &ifr, sizeof(ifr));
max_len += sizeof(ifr);
} else {
More information about the svn-src-stable
mailing list