Date: Mon, 9 Apr 2018 15:21:40 +0000 (UTC) From: Brooks Davis <brooks@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r332329 - stable/11/sys/net Message-ID: <201804091521.w39FLeED087770@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: brooks Date: Mon Apr 9 15:21:40 2018 New Revision: 332329 URL: https://svnweb.freebsd.org/changeset/base/332329 Log: MFC r332151: ifconf(): correct handling of sockaddrs smaller than struct sockaddr. Portable programs that use SIOCGIFCONF (e.g. traceroute) assume that each pseudo ifreq is of length MAX(sizeof(struct ifreq), sizeof(ifr_name) + ifr_addr.sa_len). For short sockaddrs we copied too much from the source sockaddr resulting in a heap leak. I believe only one such sockaddr exists (struct sockaddr_sco which is 8 bytes) and it is unclear if such sockaddrs end up on interfaces in practice. If it did, the result would be an 8 byte heap leak on current architectures. admbugs: 869 Reviewed by: kib Obtained from: CheriBSD Security: kernel heap leak Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D14981 Modified: stable/11/sys/net/if.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/net/if.c ============================================================================== --- stable/11/sys/net/if.c Mon Apr 9 15:11:17 2018 (r332328) +++ stable/11/sys/net/if.c Mon Apr 9 15:21:40 2018 (r332329) @@ -3153,7 +3153,13 @@ again: max_len += sizeof(ifr); } else if (sa->sa_len <= sizeof(*sa)) { - ifr.ifr_addr = *sa; + if (sa->sa_len < sizeof(*sa)) { + memset(&ifr.ifr_ifru.ifru_addr, 0, + sizeof(ifr.ifr_ifru.ifru_addr)); + memcpy(&ifr.ifr_ifru.ifru_addr, sa, + sa->sa_len); + } else + ifr.ifr_ifru.ifru_addr = *sa; sbuf_bcat(sb, &ifr, sizeof(ifr)); max_len += sizeof(ifr); } else {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201804091521.w39FLeED087770>