svn commit: r332151 - head/sys/net
Brooks Davis
brooks at FreeBSD.org
Fri Apr 6 20:26:57 UTC 2018
Author: brooks
Date: Fri Apr 6 20:26:56 2018
New Revision: 332151
URL: https://svnweb.freebsd.org/changeset/base/332151
Log:
ifconf(): correct handling of sockaddrs smaller than struct sockaddr.
Portable programs that use SIOCGIFCONF (e.g. traceroute) assume
that each pseudo ifreq is of length MAX(sizeof(struct ifreq),
sizeof(ifr_name) + ifr_addr.sa_len). For short sockaddrs we copied
too much from the source sockaddr resulting in a heap leak.
I believe only one such sockaddr exists (struct sockaddr_sco which
is 8 bytes) and it is unclear if such sockaddrs end up on interfaces
in practice. If it did, the result would be an 8 byte heap leak on
current architectures.
admbugs: 869
Reviewed by: kib
Obtained from: CheriBSD
MFC after: 3 days
Security: kernel heap leak
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D14981
Modified:
head/sys/net/if.c
Modified: head/sys/net/if.c
==============================================================================
--- head/sys/net/if.c Fri Apr 6 20:24:50 2018 (r332150)
+++ head/sys/net/if.c Fri Apr 6 20:26:56 2018 (r332151)
@@ -3191,7 +3191,13 @@ again:
continue;
addrs++;
if (sa->sa_len <= sizeof(*sa)) {
- ifr.ifr_addr = *sa;
+ if (sa->sa_len < sizeof(*sa)) {
+ memset(&ifr.ifr_ifru.ifru_addr, 0,
+ sizeof(ifr.ifr_ifru.ifru_addr));
+ memcpy(&ifr.ifr_ifru.ifru_addr, sa,
+ sa->sa_len);
+ } else
+ ifr.ifr_ifru.ifru_addr = *sa;
sbuf_bcat(sb, &ifr, sizeof(ifr));
max_len += sizeof(ifr);
} else {
More information about the svn-src-head
mailing list