From owner-svn-src-stable@freebsd.org  Tue Aug  2 13:57:21 2016
Return-Path: <owner-svn-src-stable@freebsd.org>
Delivered-To: svn-src-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 83177BACC08;
 Tue,  2 Aug 2016 13:57:21 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 48C33155B;
 Tue,  2 Aug 2016 13:57:21 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u72DvKW9062050;
 Tue, 2 Aug 2016 13:57:20 GMT (envelope-from glebius@FreeBSD.org)
Received: (from glebius@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id u72DvKcU062048;
 Tue, 2 Aug 2016 13:57:20 GMT (envelope-from glebius@FreeBSD.org)
Message-Id: <201608021357.u72DvKcU062048@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: glebius set sender to
 glebius@FreeBSD.org using -f
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Tue, 2 Aug 2016 13:57:20 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r303658 - in stable/11/sys: compat/svr4 net
X-SVN-Group: stable-11
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
 <svn-src-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable>, 
 <mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable/>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2016 13:57:21 -0000

Author: glebius
Date: Tue Aug  2 13:57:20 2016
New Revision: 303658
URL: https://svnweb.freebsd.org/changeset/base/303658

Log:
  Merge r303263:
    Partially revert r257696/r257713, which have an issue with writing to user
    controlled address. Restore the old code that emulated OSIOCGIFCONF in if.c.
  
  Approved by:	re (kib)

Modified:
  stable/11/sys/compat/svr4/svr4_sockio.c
  stable/11/sys/net/if.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/compat/svr4/svr4_sockio.c
==============================================================================
--- stable/11/sys/compat/svr4/svr4_sockio.c	Tue Aug  2 12:18:06 2016	(r303657)
+++ stable/11/sys/compat/svr4/svr4_sockio.c	Tue Aug  2 13:57:20 2016	(r303658)
@@ -73,6 +73,8 @@ bsd_to_svr4_flags(bf)
 	return sf;
 }
 
+#define	OSIOCGIFCONF	_IOWR('i', 20, struct ifconf)
+
 int
 svr4_sock_ioctl(fp, td, retval, fd, cmd, data)
 	struct file *fp;
@@ -144,7 +146,6 @@ svr4_sock_ioctl(fp, td, retval, fd, cmd,
 	case SVR4_SIOCGIFCONF:
 		{
 			struct svr4_ifconf sc;
-			struct ifconf *ifc;
 
 			if ((error = copyin(data, &sc, sizeof(sc))) != 0)
 				return error;
@@ -153,19 +154,9 @@ svr4_sock_ioctl(fp, td, retval, fd, cmd,
 				sizeof(struct ifreq), sizeof(struct svr4_ifreq),
 				sc.svr4_ifc_len));
 
-			ifc = (struct ifconf *)&sc;
-			ifc->ifc_req->ifr_addr.sa_family =
-			    sc.svr4_ifc_req->svr4_ifr_addr.sa_family;
-			ifc->ifc_req->ifr_addr.sa_len =
-			    sizeof(struct osockaddr);
-
-			error = fo_ioctl(fp, SIOCGIFCONF, &sc, td->td_ucred,
-			    td);
-
-			sc.svr4_ifc_req->svr4_ifr_addr.sa_family =
-			    ifc->ifc_req->ifr_addr.sa_family;
-
-			if (error != 0)
+			if ((error = fo_ioctl(fp, OSIOCGIFCONF,
+					    (caddr_t) &sc, td->td_ucred,
+					    td)) != 0)
 				return error;
 
 			DPRINTF(("SIOCGIFCONF\n"));

Modified: stable/11/sys/net/if.c
==============================================================================
--- stable/11/sys/net/if.c	Tue Aug  2 12:18:06 2016	(r303657)
+++ stable/11/sys/net/if.c	Tue Aug  2 13:57:20 2016	(r303658)
@@ -2699,6 +2699,9 @@ ifhwioctl(u_long cmd, struct ifnet *ifp,
 	return (error);
 }
 
+/* COMPAT_SVR4 */
+#define	OSIOCGIFCONF	_IOWR('i', 20, struct ifconf)
+
 #ifdef COMPAT_FREEBSD32
 struct ifconf32 {
 	int32_t	ifc_len;
@@ -2738,6 +2741,7 @@ ifioctl(struct socket *so, u_long cmd, c
 
 	switch (cmd) {
 	case SIOCGIFCONF:
+	case OSIOCGIFCONF:	/* COMPAT_SVR4 */
 		error = ifconf(cmd, data);
 		CURVNET_RESTORE();
 		return (error);
@@ -3009,6 +3013,15 @@ again:
 			if (prison_if(curthread->td_ucred, sa) != 0)
 				continue;
 			addrs++;
+			/* COMPAT_SVR4 */
+			if (cmd == OSIOCGIFCONF) {
+				struct osockaddr *osa =
+				    (struct osockaddr *)&ifr.ifr_addr;
+				ifr.ifr_addr = *sa;
+				osa->sa_family = sa->sa_family;
+				sbuf_bcat(sb, &ifr, sizeof(ifr));
+				max_len += sizeof(ifr);
+			} else
 			if (sa->sa_len <= sizeof(*sa)) {
 				ifr.ifr_addr = *sa;
 				sbuf_bcat(sb, &ifr, sizeof(ifr));