From owner-freebsd-bugs@FreeBSD.ORG  Sun Feb 20 07:50:27 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EFEF716A4CE
	for <freebsd-bugs@hub.freebsd.org>;
	Sun, 20 Feb 2005 07:50:27 +0000 (GMT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CA5D643D31
	for <freebsd-bugs@hub.freebsd.org>;
	Sun, 20 Feb 2005 07:50:27 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.1/8.13.1) with ESMTP id j1K7oRih083427
	for <freebsd-bugs@freefall.freebsd.org>; Sun, 20 Feb 2005 07:50:27 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.1/8.13.1/Submit) id j1K7oRDM083426;
	Sun, 20 Feb 2005 07:50:27 GMT
	(envelope-from gnats)
Date: Sun, 20 Feb 2005 07:50:27 GMT
Message-Id: <200502200750.j1K7oRDM083426@freefall.freebsd.org>
To: freebsd-bugs@FreeBSD.org
From: Maxim Konovalov <maxim@macomnet.ru>
Subject: 
	Re: kern/77748: [PATCH] Local DoS from user-space in if_clone_list()
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Maxim Konovalov <maxim@macomnet.ru>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Feb 2005 07:50:28 -0000

The following reply was made to PR kern/77748; it has been noted by GNATS.

From: Maxim Konovalov <maxim@macomnet.ru>
To: "Wojciech A. Koszek" <dunstan@freebsd.czest.pl>
Cc: bug-followup@freebsd.org
Subject: Re: kern/77748: [PATCH] Local DoS from user-space in if_clone_list()
Date: Sun, 20 Feb 2005 10:49:55 +0300 (MSK)

 Hi Wojciech,
 
 Nice catch!  It seems with your patch we do not need a second check
 for ifcr->ifcr_count a bit later in the code.
 
 Index: if_clone.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/net/if_clone.c,v
 retrieving revision 1.5
 diff -u -r1.5 if_clone.c
 --- if_clone.c	10 Feb 2005 12:02:37 -0000	1.5
 +++ if_clone.c	20 Feb 2005 07:42:30 -0000
 @@ -239,6 +239,9 @@
  	struct if_clone *ifc;
  	int buf_count, count, err = 0;
 
 +	if (ifcr->ifcr_count < 0)
 +		return (EINVAL);
 +
  	IF_CLONERS_LOCK();
  	/*
  	 * Set our internal output buffer size.  We could end up not
 @@ -261,12 +264,6 @@
  		/* Just asking how many there are. */
  		goto done;
  	}
 -
 -	if (ifcr->ifcr_count < 0) {
 -		err = EINVAL;
 -		goto done;
 -	}
 -
  	count = (if_cloners_count < buf_count) ?
  	    if_cloners_count : buf_count;
 
 %%%
 
 -- 
 Maxim Konovalov