Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 24 Jul 2016 10:10:09 +0000 (UTC)
From:      Gleb Smirnoff <glebius@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r303263 - in head/sys: compat/svr4 net
Message-ID:  <201607241010.u6OAA9IJ012434@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: glebius
Date: Sun Jul 24 10:10:09 2016
New Revision: 303263
URL: https://svnweb.freebsd.org/changeset/base/303263

Log:
  Partially revert r257696/r257713, which have an issue with writing to user
  controlled address. Restore the old code that emulated OSIOCGIFCONF in if.c.
  
  Noticed by:	C Turt

Modified:
  head/sys/compat/svr4/svr4_sockio.c
  head/sys/net/if.c

Modified: head/sys/compat/svr4/svr4_sockio.c
==============================================================================
--- head/sys/compat/svr4/svr4_sockio.c	Sun Jul 24 10:00:29 2016	(r303262)
+++ head/sys/compat/svr4/svr4_sockio.c	Sun Jul 24 10:10:09 2016	(r303263)
@@ -73,6 +73,8 @@ bsd_to_svr4_flags(bf)
 	return sf;
 }
 
+#define	OSIOCGIFCONF	_IOWR('i', 20, struct ifconf)
+
 int
 svr4_sock_ioctl(fp, td, retval, fd, cmd, data)
 	struct file *fp;
@@ -144,7 +146,6 @@ svr4_sock_ioctl(fp, td, retval, fd, cmd,
 	case SVR4_SIOCGIFCONF:
 		{
 			struct svr4_ifconf sc;
-			struct ifconf *ifc;
 
 			if ((error = copyin(data, &sc, sizeof(sc))) != 0)
 				return error;
@@ -153,19 +154,9 @@ svr4_sock_ioctl(fp, td, retval, fd, cmd,
 				sizeof(struct ifreq), sizeof(struct svr4_ifreq),
 				sc.svr4_ifc_len));
 
-			ifc = (struct ifconf *)&sc;
-			ifc->ifc_req->ifr_addr.sa_family =
-			    sc.svr4_ifc_req->svr4_ifr_addr.sa_family;
-			ifc->ifc_req->ifr_addr.sa_len =
-			    sizeof(struct osockaddr);
-
-			error = fo_ioctl(fp, SIOCGIFCONF, &sc, td->td_ucred,
-			    td);
-
-			sc.svr4_ifc_req->svr4_ifr_addr.sa_family =
-			    ifc->ifc_req->ifr_addr.sa_family;
-
-			if (error != 0)
+			if ((error = fo_ioctl(fp, OSIOCGIFCONF,
+					    (caddr_t) &sc, td->td_ucred,
+					    td)) != 0)
 				return error;
 
 			DPRINTF(("SIOCGIFCONF\n"));

Modified: head/sys/net/if.c
==============================================================================
--- head/sys/net/if.c	Sun Jul 24 10:00:29 2016	(r303262)
+++ head/sys/net/if.c	Sun Jul 24 10:10:09 2016	(r303263)
@@ -2699,6 +2699,9 @@ ifhwioctl(u_long cmd, struct ifnet *ifp,
 	return (error);
 }
 
+/* COMPAT_SVR4 */
+#define	OSIOCGIFCONF	_IOWR('i', 20, struct ifconf)
+
 #ifdef COMPAT_FREEBSD32
 struct ifconf32 {
 	int32_t	ifc_len;
@@ -2738,6 +2741,7 @@ ifioctl(struct socket *so, u_long cmd, c
 
 	switch (cmd) {
 	case SIOCGIFCONF:
+	case OSIOCGIFCONF:	/* COMPAT_SVR4 */
 		error = ifconf(cmd, data);
 		CURVNET_RESTORE();
 		return (error);
@@ -3009,6 +3013,15 @@ again:
 			if (prison_if(curthread->td_ucred, sa) != 0)
 				continue;
 			addrs++;
+			/* COMPAT_SVR4 */
+			if (cmd == OSIOCGIFCONF) {
+				struct osockaddr *osa =
+				    (struct osockaddr *)&ifr.ifr_addr;
+				ifr.ifr_addr = *sa;
+				osa->sa_family = sa->sa_family;
+				sbuf_bcat(sb, &ifr, sizeof(ifr));
+				max_len += sizeof(ifr);
+			} else
 			if (sa->sa_len <= sizeof(*sa)) {
 				ifr.ifr_addr = *sa;
 				sbuf_bcat(sb, &ifr, sizeof(ifr));



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201607241010.u6OAA9IJ012434>