Date: Mon, 9 Apr 2018 16:32:49 +0000 (UTC) From: Brooks Davis <brooks@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r332332 - stable/10/sys/net Message-ID: <201804091632.w39GWnui024735@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: brooks Date: Mon Apr 9 16:32:49 2018 New Revision: 332332 URL: https://svnweb.freebsd.org/changeset/base/332332 Log: MFC r332151: ifconf(): correct handling of sockaddrs smaller than struct sockaddr. Portable programs that use SIOCGIFCONF (e.g. traceroute) assume that each pseudo ifreq is of length MAX(sizeof(struct ifreq), sizeof(ifr_name) + ifr_addr.sa_len). For short sockaddrs we copied too much from the source sockaddr resulting in a heap leak. I believe only one such sockaddr exists (struct sockaddr_sco which is 8 bytes) and it is unclear if such sockaddrs end up on interfaces in practice. If it did, the result would be an 8 byte heap leak on current architectures. admbugs: 869 Reviewed by: kib Obtained from: CheriBSD Security: kernel heap leak Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D14981 Modified: stable/10/sys/net/if.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/net/if.c ============================================================================== --- stable/10/sys/net/if.c Mon Apr 9 16:18:02 2018 (r332331) +++ stable/10/sys/net/if.c Mon Apr 9 16:32:49 2018 (r332332) @@ -3055,7 +3055,13 @@ again: } else #endif if (sa->sa_len <= sizeof(*sa)) { - ifr.ifr_addr = *sa; + if (sa->sa_len < sizeof(*sa)) { + memset(&ifr.ifr_ifru.ifru_addr, 0, + sizeof(ifr.ifr_ifru.ifru_addr)); + memcpy(&ifr.ifr_ifru.ifru_addr, sa, + sa->sa_len); + } else + ifr.ifr_ifru.ifru_addr = *sa; sbuf_bcat(sb, &ifr, sizeof(ifr)); max_len += sizeof(ifr); } else {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201804091632.w39GWnui024735>