svn commit: r326362 - in head: share/man/man4 sys/net
Hans Petter Selasky
hselasky at FreeBSD.org
Wed Nov 29 09:40:13 UTC 2017
Author: hselasky
Date: Wed Nov 29 09:40:11 2017
New Revision: 326362
URL: https://svnweb.freebsd.org/changeset/base/326362
Log:
Disallow TUN and TAP character device IOCTLs to modify the network device
type to any value. This can cause page faults and panics due to accessing
uninitialized fields in the "struct ifnet" which are specific to the network
device type.
MFC after: 1 week
Found by: jau at iki.fi
PR: 223767
Sponsored by: Mellanox Technologies
Modified:
head/share/man/man4/tap.4
head/share/man/man4/tun.4
head/sys/net/if_tap.c
head/sys/net/if_tun.c
Modified: head/share/man/man4/tap.4
==============================================================================
--- head/share/man/man4/tap.4 Wed Nov 29 09:18:24 2017 (r326361)
+++ head/share/man/man4/tap.4 Wed Nov 29 09:40:11 2017 (r326362)
@@ -1,7 +1,7 @@
.\" $FreeBSD$
.\" Based on PR#2411
.\"
-.Dd April 10, 2015
+.Dd November 29, 2017
.Dt TAP 4
.Os
.Sh NAME
@@ -171,7 +171,14 @@ calls are supported
.In net/if_tap.h ) :
.Bl -tag -width VMIO_SIOCSETMACADDR
.It Dv TAPSIFINFO
-Set network interface information (line speed, MTU and type).
+Set network interface information (line speed and MTU).
+The type must be the same as returned by
+.Dv TAPGIFINFO
+or set to
+.Dv IFT_ETHER
+else the
+.Xr ioctl 2
+call will fail.
The argument should be a pointer to a
.Va struct tapinfo .
.It Dv TAPGIFINFO
Modified: head/share/man/man4/tun.4
==============================================================================
--- head/share/man/man4/tun.4 Wed Nov 29 09:18:24 2017 (r326361)
+++ head/share/man/man4/tun.4 Wed Nov 29 09:40:11 2017 (r326362)
@@ -2,7 +2,7 @@
.\" $FreeBSD$
.\" Based on PR#2411
.\"
-.Dd November 30, 2014
+.Dd November 29, 2017
.Dt TUN 4
.Os
.Sh NAME
@@ -208,8 +208,15 @@ this stores the internal debugging variable's value in
.It Dv TUNSIFINFO
The argument should be a pointer to an
.Vt struct tuninfo
-and allows setting the MTU, the type, and the baudrate of the tunnel
+and allows setting the MTU and the baudrate of the tunnel
device.
+The type must be the same as returned by
+.Dv TUNGIFINFO
+or set to
+.Dv IFT_PPP
+else the
+.Xr ioctl 2
+call will fail.
The
.Vt struct tuninfo
is declared in
Modified: head/sys/net/if_tap.c
==============================================================================
--- head/sys/net/if_tap.c Wed Nov 29 09:18:24 2017 (r326361)
+++ head/sys/net/if_tap.c Wed Nov 29 09:40:11 2017 (r326362)
@@ -737,9 +737,10 @@ tapioctl(struct cdev *dev, u_long cmd, caddr_t data, i
switch (cmd) {
case TAPSIFINFO:
tapp = (struct tapinfo *)data;
+ if (ifp->if_type != tapp->type)
+ return (EPROTOTYPE);
mtx_lock(&tp->tap_mtx);
ifp->if_mtu = tapp->mtu;
- ifp->if_type = tapp->type;
ifp->if_baudrate = tapp->baudrate;
mtx_unlock(&tp->tap_mtx);
break;
Modified: head/sys/net/if_tun.c
==============================================================================
--- head/sys/net/if_tun.c Wed Nov 29 09:18:24 2017 (r326361)
+++ head/sys/net/if_tun.c Wed Nov 29 09:40:11 2017 (r326362)
@@ -676,9 +676,10 @@ tunioctl(struct cdev *dev, u_long cmd, caddr_t data, i
if (error)
return (error);
}
+ if (TUN2IFP(tp)->if_type != tunp->type)
+ return (EPROTOTYPE);
mtx_lock(&tp->tun_mtx);
TUN2IFP(tp)->if_mtu = tunp->mtu;
- TUN2IFP(tp)->if_type = tunp->type;
TUN2IFP(tp)->if_baudrate = tunp->baudrate;
mtx_unlock(&tp->tun_mtx);
break;
More information about the svn-src-all
mailing list