Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Pull up following revision(s) (requested by maxv in ticket #930): 

sys/compat/netbsd32/netbsd32_ioctl.c: revision 1.82
Wrong logic. Here, userland can control the size and the data copied, which
basically means it can overflow kernel memory.
ok martin@ christos@
This commit is contained in:
martin 2015-08-02 11:29:10 +00:00
parent e7cd0865d9
commit 361594579a
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
sys/compat/netbsd32/netbsd32_ioctl.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: netbsd32_ioctl.c,v 1.69 2014/01/24 12:16:10 bouyer Exp $ */
/* $NetBSD: netbsd32_ioctl.c,v 1.69.4.1 2015/08/02 11:29:10 martin Exp $ */
/*
* Copyright (c) 1998, 2001 Matthew R. Green
@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: netbsd32_ioctl.c,v 1.69 2014/01/24 12:16:10 bouyer Exp $");
__KERNEL_RCSID(0, "$NetBSD: netbsd32_ioctl.c,v 1.69.4.1 2015/08/02 11:29:10 martin Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@ -137,7 +137,7 @@ netbsd32_to_if_addrprefreq(const struct netbsd32_if_addrprefreq *ifap32,
strlcpy(ifap->ifap_name, ifap32->ifap_name, sizeof(ifap->ifap_name));
ifap->ifap_preference = ifap32->ifap_preference;
memcpy(&ifap->ifap_addr, &ifap32->ifap_addr,
max(ifap32->ifap_addr.ss_len, _SS_MAXSIZE));
min(ifap32->ifap_addr.ss_len, _SS_MAXSIZE));
}
static inline void
@ -454,7 +454,7 @@ netbsd32_from_if_addrprefreq(const struct if_addrprefreq *ifap,
strlcpy(ifap32->ifap_name, ifap->ifap_name, sizeof(ifap32->ifap_name));
ifap32->ifap_preference = ifap->ifap_preference;
memcpy(&ifap32->ifap_addr, &ifap->ifap_addr,
max(ifap->ifap_addr.ss_len, _SS_MAXSIZE));
min(ifap->ifap_addr.ss_len, _SS_MAXSIZE));
}
static inline void