kern/77748: [PATCH] Local DoS from user-space in if_clone_list()
Wojciech A. Koszek
dunstan at freebsd.czest.pl
Sun Feb 20 12:20:08 GMT 2005
The following reply was made to PR kern/77748; it has been noted by GNATS.
From: "Wojciech A. Koszek" <dunstan at freebsd.czest.pl>
To: bug-followup at FreeBSD.org
Cc:
Subject: Re: kern/77748: [PATCH] Local DoS from user-space in if_clone_list()
Date: Sun, 20 Feb 2005 12:17:36 +0000
--PEIAKu/WMn1b1Hv9
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Sun, Feb 20, 2005 at 10:49:55AM +0300, Maxim Konovalov wrote:
Hi Maxim,
[..]
> -
> - if (ifcr->ifcr_count < 0) {
> - err = EINVAL;
> - goto done;
> - }
> -
[..]
Indeed - we don't need this. Sorry, I could look at it more carefully while
writing this patch... As I see, your correction doesn't change function
behaviour and it works for me.
Attached patch [diff.1.if_clone.c] corrects problem and redundant check.
Regards,
--
* Wojciech A. Koszek && dunstan at FreeBSD.czest.pl
--PEIAKu/WMn1b1Hv9
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="diff.1.if_clone.c"
Patch against FreeBSD 5.3-STABLE, kern.osreldate: 503102.
diff -upr /usr/src/sys/net/if_clone.c src/sys/net/if_clone.c
--- /usr/src/sys/net/if_clone.c Sat Feb 19 21:57:31 2005
+++ src/sys/net/if_clone.c Sun Feb 20 11:08:10 2005
@@ -239,6 +239,9 @@ if_clone_list(struct if_clonereq *ifcr)
struct if_clone *ifc;
int buf_count, count, err = 0;
+ if (ifcr->ifcr_count < 0)
+ return (EINVAL);
+
IF_CLONERS_LOCK();
/*
* Set our internal output buffer size. We could end up not
@@ -259,11 +262,6 @@ if_clone_list(struct if_clonereq *ifcr)
ifcr->ifcr_total = if_cloners_count;
if ((dst = ifcr->ifcr_buffer) == NULL) {
/* Just asking how many there are. */
- goto done;
- }
-
- if (ifcr->ifcr_count < 0) {
- err = EINVAL;
goto done;
}
--PEIAKu/WMn1b1Hv9--
More information about the freebsd-bugs
mailing list