Date: Wed, 30 Nov 2016 01:17:02 +0000 (UTC) From: Brooks Davis <brooks@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r309303 - stable/11/sbin/dhclient Message-ID: <201611300117.uAU1H2Yx053016@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: brooks Date: Wed Nov 30 01:17:02 2016 New Revision: 309303 URL: https://svnweb.freebsd.org/changeset/base/309303 Log: MFC r309027: Allocate a struct ifreq rather than using a (wrong) computed size for the BIOCSETIF ioctl. The kernel always copies an entire struct ifreq and IPv4 addresses will always fit in an ifreq. On systems with pointers larger than 64-bits, the computed size will be less than the size of struct ifreq, potentially resulting in the kernel attempting to copyin memory from outside the allocation. Reviewed by: jhb Obtained from: CheriBSD Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D8445 Modified: stable/11/sbin/dhclient/dispatch.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sbin/dhclient/dispatch.c ============================================================================== --- stable/11/sbin/dhclient/dispatch.c Wed Nov 30 00:26:35 2016 (r309302) +++ stable/11/sbin/dhclient/dispatch.c Wed Nov 30 01:17:02 2016 (r309303) @@ -105,8 +105,8 @@ discover_interfaces(struct interface_inf if (foo.sin_addr.s_addr == htonl(INADDR_LOOPBACK)) continue; if (!iface->ifp) { - int len = IFNAMSIZ + ifa->ifa_addr->sa_len; - if ((tif = malloc(len)) == NULL) + if ((tif = calloc(1, sizeof(struct ifreq))) + == NULL) error("no space to remember ifp"); strlcpy(tif->ifr_name, ifa->ifa_name, IFNAMSIZ); memcpy(&tif->ifr_addr, ifa->ifa_addr,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201611300117.uAU1H2Yx053016>