kern/77748: [PATCH] Local DoS from user-space in if_clone_list()

Sun Feb 20 12:20:08 GMT 2005

The following reply was made to PR kern/77748; it has been noted by GNATS.

From: "Wojciech A. Koszek" <dunstan at freebsd.czest.pl>
To: bug-followup at FreeBSD.org
Cc:  
Subject: Re: kern/77748: [PATCH] Local DoS from user-space in if_clone_list()
Date: Sun, 20 Feb 2005 12:17:36 +0000

 --PEIAKu/WMn1b1Hv9
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline

 On Sun, Feb 20, 2005 at 10:49:55AM +0300, Maxim Konovalov wrote:
 Hi Maxim,

 [..]
 > -
 > -	if (ifcr->ifcr_count < 0) {
 > -		err = EINVAL;
 > -		goto done;
 > -	}
 > -
 [..]

 Indeed - we don't need this. Sorry, I could look at it more carefully while
 writing this patch... As I see, your correction doesn't change function
 behaviour and it works for me.

 Attached patch [diff.1.if_clone.c] corrects problem and redundant check.

 Regards,
 -- 
 * Wojciech A. Koszek && dunstan at FreeBSD.czest.pl

 --PEIAKu/WMn1b1Hv9
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="diff.1.if_clone.c"

 Patch against FreeBSD 5.3-STABLE, kern.osreldate: 503102.

 diff -upr /usr/src/sys/net/if_clone.c src/sys/net/if_clone.c
 --- /usr/src/sys/net/if_clone.c	Sat Feb 19 21:57:31 2005
 +++ src/sys/net/if_clone.c	Sun Feb 20 11:08:10 2005
 @@ -239,6 +239,9 @@ if_clone_list(struct if_clonereq *ifcr)
  	struct if_clone *ifc;
  	int buf_count, count, err = 0;

 +	if (ifcr->ifcr_count < 0)
 +		return (EINVAL);
 +
  	IF_CLONERS_LOCK();
  	/*
  	 * Set our internal output buffer size.  We could end up not
 @@ -259,11 +262,6 @@ if_clone_list(struct if_clonereq *ifcr)
  	ifcr->ifcr_total = if_cloners_count;
  	if ((dst = ifcr->ifcr_buffer) == NULL) {
  		/* Just asking how many there are. */
 -		goto done;
 -	}
 -
 -	if (ifcr->ifcr_count < 0) {
 -		err = EINVAL;
  		goto done;
  	}

 --PEIAKu/WMn1b1Hv9--