svn commit: r192094 - head/sys/kern

[Konstantin Belousov]

Author: kib
Date: Thu May 14 10:54:57 2009
New Revision: 192094
URL: http://svn.freebsd.org/changeset/base/192094

Log:
  Do not advance req->oldidx when sysctl_old_user returning an
  error due to copyout failure or short buffer.
  
  The later breaks the usermode iterators of the sysctl results that pack
  arbitrary number of variable-sized structures. Iterator expects that
  kernel filled exactly oldlen bytes, and tries to interpret half-filled
  or garbage structure at the end of the buffer. In particular,
  kinfo_getfile(3) segfaulted.
  
  Reported and tested by:	pho
  MFC after:	3 weeks

Modified:
  head/sys/kern/kern_sysctl.c

Modified: head/sys/kern/kern_sysctl.c
==============================================================================
--- head/sys/kern/kern_sysctl.c	Thu May 14 10:47:11 2009	(r192093)
+++ head/sys/kern/kern_sysctl.c	Thu May 14 10:54:57 2009	(r192094)
@@ -1221,9 +1221,9 @@ sysctl_old_kernel(struct sysctl_req *req
 		if (i > 0)
 			bcopy(p, (char *)req->oldptr + req->oldidx, i);
 	}
-	req->oldidx += l;
 	if (req->oldptr && i != l)
 		return (ENOMEM);
+	req->oldidx += l;
 	return (0);
 }
 
@@ -1320,9 +1320,10 @@ sysctl_old_user(struct sysctl_req *req, 
 	size_t i, len, origidx;
 
 	origidx = req->oldidx;
-	req->oldidx += l;
-	if (req->oldptr == NULL)
+	if (req->oldptr == NULL) {
+		req->oldidx += l;
 		return (0);
+	}
 	/*
 	 * If we have not wired the user supplied buffer and we are currently
 	 * holding locks, drop a witness warning, as it's possible that
@@ -1344,6 +1345,7 @@ sysctl_old_user(struct sysctl_req *req, 
 		return (error);
 	if (i < l)
 		return (ENOMEM);
+	req->oldidx += l;
 	return (0);
 }