Pull up following revision(s) (requested by maxv in ticket #930):
sys/compat/netbsd32/netbsd32_ioctl.c: revision 1.82 Wrong logic. Here, userland can control the size and the data copied, which basically means it can overflow kernel memory. ok martin@ christos@
This commit is contained in:
parent
e7cd0865d9
commit
361594579a
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: netbsd32_ioctl.c,v 1.69 2014/01/24 12:16:10 bouyer Exp $ */
|
||||
/* $NetBSD: netbsd32_ioctl.c,v 1.69.4.1 2015/08/02 11:29:10 martin Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1998, 2001 Matthew R. Green
|
||||
|
@ -31,7 +31,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: netbsd32_ioctl.c,v 1.69 2014/01/24 12:16:10 bouyer Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: netbsd32_ioctl.c,v 1.69.4.1 2015/08/02 11:29:10 martin Exp $");
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/systm.h>
|
||||
|
@ -137,7 +137,7 @@ netbsd32_to_if_addrprefreq(const struct netbsd32_if_addrprefreq *ifap32,
|
|||
strlcpy(ifap->ifap_name, ifap32->ifap_name, sizeof(ifap->ifap_name));
|
||||
ifap->ifap_preference = ifap32->ifap_preference;
|
||||
memcpy(&ifap->ifap_addr, &ifap32->ifap_addr,
|
||||
max(ifap32->ifap_addr.ss_len, _SS_MAXSIZE));
|
||||
min(ifap32->ifap_addr.ss_len, _SS_MAXSIZE));
|
||||
}
|
||||
|
||||
static inline void
|
||||
|
@ -454,7 +454,7 @@ netbsd32_from_if_addrprefreq(const struct if_addrprefreq *ifap,
|
|||
strlcpy(ifap32->ifap_name, ifap->ifap_name, sizeof(ifap32->ifap_name));
|
||||
ifap32->ifap_preference = ifap->ifap_preference;
|
||||
memcpy(&ifap32->ifap_addr, &ifap->ifap_addr,
|
||||
max(ifap->ifap_addr.ss_len, _SS_MAXSIZE));
|
||||
min(ifap->ifap_addr.ss_len, _SS_MAXSIZE));
|
||||
}
|
||||
|
||||
static inline void
|
||||
|
|
Loading…
Reference in New Issue