CVS commit: [netbsd-5-1] src/sys/compat/freebsd

Mon, 27 Oct 2014 05:39:08 -0700 

Module Name:    src
Committed By:   msaitoh
Date:           Mon Oct 27 12:38:29 UTC 2014

Modified Files:
        src/sys/compat/freebsd [netbsd-5-1]: freebsd_sysctl.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1926):
        sys/compat/freebsd/freebsd_sysctl.c: revision 1.17
I'm not sure reading from an unsanitized userland pointer is a good idea.
Some users might be tempted to give 0x01, in which case the kernel will
crash.


To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.14.16.1 src/sys/compat/freebsd/freebsd_sysctl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/compat/freebsd/freebsd_sysctl.c
diff -u src/sys/compat/freebsd/freebsd_sysctl.c:1.14 src/sys/compat/freebsd/freebsd_sysctl.c:1.14.16.1
--- src/sys/compat/freebsd/freebsd_sysctl.c:1.14	Mon Apr 28 20:23:41 2008
+++ src/sys/compat/freebsd/freebsd_sysctl.c	Mon Oct 27 12:38:29 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: freebsd_sysctl.c,v 1.14 2008/04/28 20:23:41 martin Exp $	*/
+/*	$NetBSD: freebsd_sysctl.c,v 1.14.16.1 2014/10/27 12:38:29 msaitoh Exp $	*/
 
 /*-
  * Copyright (c) 2005 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: freebsd_sysctl.c,v 1.14 2008/04/28 20:23:41 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: freebsd_sysctl.c,v 1.14.16.1 2014/10/27 12:38:29 msaitoh Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -84,7 +84,7 @@ freebsd_sys_sysctl(struct lwp *l, const 
 	} */
 	int error;
 	int name[CTL_MAXNAME];
-	size_t newlen, *oldlenp;
+	size_t newlen, *oldlenp, oldlen;
 	u_int namelen;
 	void *new, *old;
 
@@ -135,9 +135,14 @@ freebsd_sys_sysctl(struct lwp *l, const 
 
 		old = SCARG(uap, old);
 		oldlenp = SCARG(uap, oldlenp);
-		if (old == NULL || oldlenp == NULL || *oldlenp < sizeof(int))
+		if (old == NULL || oldlenp == NULL)
 			return(EINVAL);
 
+		if ((error = copyin(oldlenp, &oldlen, sizeof(oldlen))))
+			return (error);
+		if (oldlen < sizeof(int))
+			return (EINVAL);
+
 		if ((locnew =
 		     (char *) malloc(newlen + 1, M_TEMP, M_WAITOK)) == NULL)
 			return(ENOMEM);
@@ -157,11 +162,11 @@ freebsd_sys_sysctl(struct lwp *l, const 
 
 		oidlen *= sizeof(int);
 		error = copyout(oid, SCARG(uap, old),
-				MIN(oidlen, *SCARG(uap, oldlenp)));
+				MIN(oidlen, oldlen));
 		if (error)
 			return(error);
 		ktrmibio(-1, UIO_READ, SCARG(uap, old),
-		    MIN(oidlen, *SCARG(uap, oldlenp)),  0);
+		    MIN(oidlen, oldlen),  0);
 
 		error = copyout(&oidlen, SCARG(uap, oldlenp), sizeof(u_int));

Reply via email to