From owner-svn-src-all@FreeBSD.ORG Sun Dec 29 22:20:07 2013 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7490638D; Sun, 29 Dec 2013 22:20:07 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 611C91D40; Sun, 29 Dec 2013 22:20:07 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id rBTMK796043714; Sun, 29 Dec 2013 22:20:07 GMT (envelope-from glebius@svn.freebsd.org) Received: (from glebius@localhost) by svn.freebsd.org (8.14.7/8.14.7/Submit) id rBTMK7ls043713; Sun, 29 Dec 2013 22:20:07 GMT (envelope-from glebius@svn.freebsd.org) Message-Id: <201312292220.rBTMK7ls043713@svn.freebsd.org> From: Gleb Smirnoff Date: Sun, 29 Dec 2013 22:20:07 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r260060 - head/sys/netinet X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Dec 2013 22:20:07 -0000 Author: glebius Date: Sun Dec 29 22:20:06 2013 New Revision: 260060 URL: http://svnweb.freebsd.org/changeset/base/260060 Log: Fix couple of bugs from r257692 related to scan of address list on an interface: - in in_control() skip over not AF_INET addresses. - in in_aifaddr_ioctl() and in_difaddr_ioctl() do correct check of address family, w/o accessing memory beyond struct ifaddr. Sponsored by: Nginx, Inc. Modified: head/sys/netinet/in.c Modified: head/sys/netinet/in.c ============================================================================== --- head/sys/netinet/in.c Sun Dec 29 20:48:47 2013 (r260059) +++ head/sys/netinet/in.c Sun Dec 29 22:20:06 2013 (r260060) @@ -247,6 +247,8 @@ in_control(struct socket *so, u_long cmd */ IF_ADDR_RLOCK(ifp); TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { + if (ifa->ifa_addr->sa_family != AF_INET) + continue; ia = (struct in_ifaddr *)ifa; if (cmd == SIOCGIFADDR || addr->sin_addr.s_addr == INADDR_ANY) break; @@ -338,11 +340,12 @@ in_aifaddr_ioctl(u_long cmd, caddr_t dat ia = NULL; IF_ADDR_RLOCK(ifp); TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { - struct in_ifaddr *it = ifatoia(ifa); + struct in_ifaddr *it; - if (it->ia_addr.sin_family != AF_INET) + if (ifa->ifa_addr->sa_family != AF_INET) continue; + it = (struct in_ifaddr *)ifa; iaIsFirst = false; if (it->ia_addr.sin_addr.s_addr == addr->sin_addr.s_addr && prison_check_ip4(td->td_ucred, &addr->sin_addr) == 0) @@ -530,11 +533,12 @@ in_difaddr_ioctl(caddr_t data, struct if ia = NULL; IF_ADDR_WLOCK(ifp); TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { - struct in_ifaddr *it = ifatoia(ifa); + struct in_ifaddr *it; - if (it->ia_addr.sin_family != AF_INET) + if (ifa->ifa_addr->sa_family != AF_INET) continue; + it = (struct in_ifaddr *)ifa; if (deleteAny && ia == NULL && (td == NULL || prison_check_ip4(td->td_ucred, &it->ia_addr.sin_addr) == 0)) ia = it;