From owner-freebsd-bugs@FreeBSD.ORG Sun Feb 20 12:20:08 2005 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F20E416A4CE for ; Sun, 20 Feb 2005 12:20:07 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB9B543D41 for ; Sun, 20 Feb 2005 12:20:07 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j1KCK7Sw025244 for ; Sun, 20 Feb 2005 12:20:07 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j1KCK7v0025243; Sun, 20 Feb 2005 12:20:07 GMT (envelope-from gnats) Date: Sun, 20 Feb 2005 12:20:07 GMT Message-Id: <200502201220.j1KCK7v0025243@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: "Wojciech A. Koszek" Subject: Re: kern/77748: [PATCH] Local DoS from user-space in if_clone_list() X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Wojciech A. Koszek" List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Feb 2005 12:20:08 -0000 The following reply was made to PR kern/77748; it has been noted by GNATS. From: "Wojciech A. Koszek" To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/77748: [PATCH] Local DoS from user-space in if_clone_list() Date: Sun, 20 Feb 2005 12:17:36 +0000 --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sun, Feb 20, 2005 at 10:49:55AM +0300, Maxim Konovalov wrote: Hi Maxim, [..] > - > - if (ifcr->ifcr_count < 0) { > - err = EINVAL; > - goto done; > - } > - [..] Indeed - we don't need this. Sorry, I could look at it more carefully while writing this patch... As I see, your correction doesn't change function behaviour and it works for me. Attached patch [diff.1.if_clone.c] corrects problem and redundant check. Regards, -- * Wojciech A. Koszek && dunstan@FreeBSD.czest.pl --PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="diff.1.if_clone.c" Patch against FreeBSD 5.3-STABLE, kern.osreldate: 503102. diff -upr /usr/src/sys/net/if_clone.c src/sys/net/if_clone.c --- /usr/src/sys/net/if_clone.c Sat Feb 19 21:57:31 2005 +++ src/sys/net/if_clone.c Sun Feb 20 11:08:10 2005 @@ -239,6 +239,9 @@ if_clone_list(struct if_clonereq *ifcr) struct if_clone *ifc; int buf_count, count, err = 0; + if (ifcr->ifcr_count < 0) + return (EINVAL); + IF_CLONERS_LOCK(); /* * Set our internal output buffer size. We could end up not @@ -259,11 +262,6 @@ if_clone_list(struct if_clonereq *ifcr) ifcr->ifcr_total = if_cloners_count; if ((dst = ifcr->ifcr_buffer) == NULL) { /* Just asking how many there are. */ - goto done; - } - - if (ifcr->ifcr_count < 0) { - err = EINVAL; goto done; } --PEIAKu/WMn1b1Hv9--