svn commit: r332329 - stable/11/sys/net
Brooks Davis
brooks at FreeBSD.org
Mon Apr 9 15:21:41 UTC 2018
Author: brooks
Date: Mon Apr 9 15:21:40 2018
New Revision: 332329
URL: https://svnweb.freebsd.org/changeset/base/332329
Log:
MFC r332151:
ifconf(): correct handling of sockaddrs smaller than struct sockaddr.
Portable programs that use SIOCGIFCONF (e.g. traceroute) assume
that each pseudo ifreq is of length MAX(sizeof(struct ifreq),
sizeof(ifr_name) + ifr_addr.sa_len). For short sockaddrs we copied
too much from the source sockaddr resulting in a heap leak.
I believe only one such sockaddr exists (struct sockaddr_sco which
is 8 bytes) and it is unclear if such sockaddrs end up on interfaces
in practice. If it did, the result would be an 8 byte heap leak on
current architectures.
admbugs: 869
Reviewed by: kib
Obtained from: CheriBSD
Security: kernel heap leak
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D14981
Modified:
stable/11/sys/net/if.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sys/net/if.c
==============================================================================
--- stable/11/sys/net/if.c Mon Apr 9 15:11:17 2018 (r332328)
+++ stable/11/sys/net/if.c Mon Apr 9 15:21:40 2018 (r332329)
@@ -3153,7 +3153,13 @@ again:
max_len += sizeof(ifr);
} else
if (sa->sa_len <= sizeof(*sa)) {
- ifr.ifr_addr = *sa;
+ if (sa->sa_len < sizeof(*sa)) {
+ memset(&ifr.ifr_ifru.ifru_addr, 0,
+ sizeof(ifr.ifr_ifru.ifru_addr));
+ memcpy(&ifr.ifr_ifru.ifru_addr, sa,
+ sa->sa_len);
+ } else
+ ifr.ifr_ifru.ifru_addr = *sa;
sbuf_bcat(sb, &ifr, sizeof(ifr));
max_len += sizeof(ifr);
} else {
More information about the svn-src-all
mailing list