Pull up following revision(s) (requested by spz in ticket #198):

sys/altq/altq_cbq.c: revision 1.31 sys/altq/altq_hfsc.c: revision 1.27 sys/altq/altq_jobs.c: revision 1.11 sys/altq/altq_priq.c: revision 1.24 sys/altq/altq_wfq.c: revision 1.22 Zero buffers copied to userland to avoid stack disclosure. From Ilja Van Sprundel. -- Reject negative indices. (Would be nice to change the types too, and it's *probably* safe to replace int by u_int, but I'm reluctant to touch the ioctl definitions without at least a modicum more thought. Also one of them is a u_long, because why not?) From Ilja Van Sprundel.
2017-08-09 05:31:02 +00:00 · 2017-08-09 05:31:02 +00:00 · 2ce37d2f64
parent 433870eb6d
commit 2ce37d2f64
5 changed files with 20 additions and 16 deletions
--- a/sys/altq/altq_cbq.c
+++ b/sys/altq/altq_cbq.c
@ -1,4 +1,4 @@
-/*	$NetBSD: altq_cbq.c,v 1.30 2016/06/20 08:30:58 knakahara Exp $	*/
+/*	$NetBSD: altq_cbq.c,v 1.30.10.1 2017/08/09 05:31:02 snj Exp $	*/
 /*	$KAME: altq_cbq.c,v 1.21 2005/04/13 03:44:24 suz Exp $	*/

 /*
@ -32,7 +32,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.30 2016/06/20 08:30:58 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.30.10.1 2017/08/09 05:31:02 snj Exp $");

 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@ -471,6 +471,7 @@ cbq_getqstats(struct pf_altq *a, void *ubuf, int *nbytes)
 	if (*nbytes < sizeof(stats))
 		return (EINVAL);

+	memset(&stats, 0, sizeof(stats));
 	get_class_stats(&stats, cl);

 	if ((error = copyout((void *)&stats, ubuf, sizeof(stats))) != 0)
@ -880,6 +881,7 @@ cbq_getstats(struct cbq_getstats *gsp)
 			if (++i >= CBQ_MAX_CLASSES)
 				goto out;

+		memset(&stats, 0, sizeof(stats));
 		get_class_stats(&stats, cl);
 		stats.handle = cl->stats_.handle;

--- a/sys/altq/altq_hfsc.c
+++ b/sys/altq/altq_hfsc.c
@ -1,4 +1,4 @@
-/*	$NetBSD: altq_hfsc.c,v 1.26 2016/04/20 08:58:48 knakahara Exp $	*/
+/*	$NetBSD: altq_hfsc.c,v 1.26.10.1 2017/08/09 05:31:02 snj Exp $	*/
 /*	$KAME: altq_hfsc.c,v 1.26 2005/04/13 03:44:24 suz Exp $	*/

 /*
@ -43,7 +43,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.26 2016/04/20 08:58:48 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.26.10.1 2017/08/09 05:31:02 snj Exp $");

 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@ -312,6 +312,7 @@ hfsc_getqstats(struct pf_altq *a, void *ubuf, int *nbytes)
 	if (*nbytes < sizeof(stats))
 		return (EINVAL);

+	memset(&stats, 0, sizeof(stats));
 	get_class_stats(&stats, cl);

 	if ((error = copyout((void *)&stats, ubuf, sizeof(stats))) != 0)
--- a/sys/altq/altq_jobs.c
+++ b/sys/altq/altq_jobs.c
@ -1,4 +1,4 @@
-/*	$NetBSD: altq_jobs.c,v 1.10 2016/11/21 07:15:36 dholland Exp $	*/
+/*	$NetBSD: altq_jobs.c,v 1.10.8.1 2017/08/09 05:31:02 snj Exp $	*/
 /*	$KAME: altq_jobs.c,v 1.11 2005/04/13 03:44:25 suz Exp $	*/
 /*
 * Copyright (c) 2001, the Rector and Board of Visitors of the
@ -59,7 +59,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_jobs.c,v 1.10 2016/11/21 07:15:36 dholland Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_jobs.c,v 1.10.8.1 2017/08/09 05:31:02 snj Exp $");

 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@ -2110,10 +2110,9 @@ jobscmd_class_stats(struct jobs_class_stats *ap)
 	usp = ap->stats;
 	for (pri = 0; pri <= jif->jif_maxpri; pri++) {
 		cl = jif->jif_classes[pri];
+		(void)memset(&stats, 0, sizeof(stats));
 		if (cl != NULL)
 			get_class_stats(&stats, cl);
-		else
-			(void)memset(&stats, 0, sizeof(stats));
 		if ((error = copyout((void *)&stats, (void *)usp++,
 				     sizeof(stats))) != 0)
 			return (error);
--- a/sys/altq/altq_priq.c
+++ b/sys/altq/altq_priq.c
@ -1,4 +1,4 @@
-/*	$NetBSD: altq_priq.c,v 1.23 2016/04/20 08:58:48 knakahara Exp $	*/
+/*	$NetBSD: altq_priq.c,v 1.23.10.1 2017/08/09 05:31:02 snj Exp $	*/
 /*	$KAME: altq_priq.c,v 1.13 2005/04/13 03:44:25 suz Exp $	*/
 /*
 * Copyright (C) 2000-2003
@ -31,7 +31,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_priq.c,v 1.23 2016/04/20 08:58:48 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_priq.c,v 1.23.10.1 2017/08/09 05:31:02 snj Exp $");

 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@ -219,6 +219,7 @@ priq_getqstats(struct pf_altq *a, void *ubuf, int *nbytes)
 	if (*nbytes < sizeof(stats))
 		return (EINVAL);

+	memset(&stats, 0, sizeof(stats));
 	get_class_stats(&stats, cl);

 	if ((error = copyout((void *)&stats, ubuf, sizeof(stats))) != 0)
--- a/sys/altq/altq_wfq.c
+++ b/sys/altq/altq_wfq.c
@ -1,4 +1,4 @@
-/*	$NetBSD: altq_wfq.c,v 1.21 2016/04/20 08:58:48 knakahara Exp $	*/
+/*	$NetBSD: altq_wfq.c,v 1.21.10.1 2017/08/09 05:31:02 snj Exp $	*/
 /*	$KAME: altq_wfq.c,v 1.14 2005/04/13 03:44:25 suz Exp $	*/

 /*
@ -32,7 +32,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_wfq.c,v 1.21 2016/04/20 08:58:48 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_wfq.c,v 1.21.10.1 2017/08/09 05:31:02 snj Exp $");

 #ifdef _KERNEL_OPT
 #include "opt_altq.h"
@ -517,14 +517,15 @@ wfq_setweight(struct wfq_setweight *swp)
 	wfq *queue;
 	int old;

-	if (swp->weight < 0) {
-		printf("set weight in natural number\n");
+	if (swp->weight < 0)
 		return (EINVAL);
-	}

 	if ((wfqp = altq_lookup(swp->iface.wfq_ifacename, ALTQT_WFQ)) == NULL)
 		return (EBADF);

+	if (swp->qid < 0 || swp->qid >= wfqp->nums)
+		return (EINVAL);
+
 	queue = &wfqp->queue[swp->qid];
 	old = queue->weight;
 	queue->weight = swp->weight;
@ -543,7 +544,7 @@ wfq_getstats(struct wfq_getstats *gsp)
 	if ((wfqp = altq_lookup(gsp->iface.wfq_ifacename, ALTQT_WFQ)) == NULL)
 		return (EBADF);

-	if (gsp->qid >= wfqp->nums)
+	if (gsp->qid < 0 || gsp->qid >= wfqp->nums)
 		return (EINVAL);

 	queue = &wfqp->queue[gsp->qid];