From owner-svn-src-head@freebsd.org Sun Jul 24 10:10:11 2016 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 20173B9BBB4; Sun, 24 Jul 2016 10:10:11 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D7E06131C; Sun, 24 Jul 2016 10:10:10 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u6OAAA2W012436; Sun, 24 Jul 2016 10:10:10 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u6OAA9IJ012434; Sun, 24 Jul 2016 10:10:09 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201607241010.u6OAA9IJ012434@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Sun, 24 Jul 2016 10:10:09 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r303263 - in head/sys: compat/svr4 net X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jul 2016 10:10:11 -0000 Author: glebius Date: Sun Jul 24 10:10:09 2016 New Revision: 303263 URL: https://svnweb.freebsd.org/changeset/base/303263 Log: Partially revert r257696/r257713, which have an issue with writing to user controlled address. Restore the old code that emulated OSIOCGIFCONF in if.c. Noticed by: C Turt Modified: head/sys/compat/svr4/svr4_sockio.c head/sys/net/if.c Modified: head/sys/compat/svr4/svr4_sockio.c ============================================================================== --- head/sys/compat/svr4/svr4_sockio.c Sun Jul 24 10:00:29 2016 (r303262) +++ head/sys/compat/svr4/svr4_sockio.c Sun Jul 24 10:10:09 2016 (r303263) @@ -73,6 +73,8 @@ bsd_to_svr4_flags(bf) return sf; } +#define OSIOCGIFCONF _IOWR('i', 20, struct ifconf) + int svr4_sock_ioctl(fp, td, retval, fd, cmd, data) struct file *fp; @@ -144,7 +146,6 @@ svr4_sock_ioctl(fp, td, retval, fd, cmd, case SVR4_SIOCGIFCONF: { struct svr4_ifconf sc; - struct ifconf *ifc; if ((error = copyin(data, &sc, sizeof(sc))) != 0) return error; @@ -153,19 +154,9 @@ svr4_sock_ioctl(fp, td, retval, fd, cmd, sizeof(struct ifreq), sizeof(struct svr4_ifreq), sc.svr4_ifc_len)); - ifc = (struct ifconf *)≻ - ifc->ifc_req->ifr_addr.sa_family = - sc.svr4_ifc_req->svr4_ifr_addr.sa_family; - ifc->ifc_req->ifr_addr.sa_len = - sizeof(struct osockaddr); - - error = fo_ioctl(fp, SIOCGIFCONF, &sc, td->td_ucred, - td); - - sc.svr4_ifc_req->svr4_ifr_addr.sa_family = - ifc->ifc_req->ifr_addr.sa_family; - - if (error != 0) + if ((error = fo_ioctl(fp, OSIOCGIFCONF, + (caddr_t) &sc, td->td_ucred, + td)) != 0) return error; DPRINTF(("SIOCGIFCONF\n")); Modified: head/sys/net/if.c ============================================================================== --- head/sys/net/if.c Sun Jul 24 10:00:29 2016 (r303262) +++ head/sys/net/if.c Sun Jul 24 10:10:09 2016 (r303263) @@ -2699,6 +2699,9 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, return (error); } +/* COMPAT_SVR4 */ +#define OSIOCGIFCONF _IOWR('i', 20, struct ifconf) + #ifdef COMPAT_FREEBSD32 struct ifconf32 { int32_t ifc_len; @@ -2738,6 +2741,7 @@ ifioctl(struct socket *so, u_long cmd, c switch (cmd) { case SIOCGIFCONF: + case OSIOCGIFCONF: /* COMPAT_SVR4 */ error = ifconf(cmd, data); CURVNET_RESTORE(); return (error); @@ -3009,6 +3013,15 @@ again: if (prison_if(curthread->td_ucred, sa) != 0) continue; addrs++; + /* COMPAT_SVR4 */ + if (cmd == OSIOCGIFCONF) { + struct osockaddr *osa = + (struct osockaddr *)&ifr.ifr_addr; + ifr.ifr_addr = *sa; + osa->sa_family = sa->sa_family; + sbuf_bcat(sb, &ifr, sizeof(ifr)); + max_len += sizeof(ifr); + } else if (sa->sa_len <= sizeof(*sa)) { ifr.ifr_addr = *sa; sbuf_bcat(sb, &ifr, sizeof(ifr));