CVS commit: [netbsd-7] src/sys/compat/netbsd32

Sun, 02 Aug 2015 04:29:36 -0700 

Module Name:    src
Committed By:   martin
Date:           Sun Aug  2 11:29:10 UTC 2015

Modified Files:
        src/sys/compat/netbsd32 [netbsd-7]: netbsd32_ioctl.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #930):
        sys/compat/netbsd32/netbsd32_ioctl.c: revision 1.82
Wrong logic. Here, userland can control the size and the data copied, which
basically means it can overflow kernel memory.
ok martin@ christos@


To generate a diff of this commit:
cvs rdiff -u -r1.69 -r1.69.4.1 src/sys/compat/netbsd32/netbsd32_ioctl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/compat/netbsd32/netbsd32_ioctl.c
diff -u src/sys/compat/netbsd32/netbsd32_ioctl.c:1.69 src/sys/compat/netbsd32/netbsd32_ioctl.c:1.69.4.1
--- src/sys/compat/netbsd32/netbsd32_ioctl.c:1.69	Fri Jan 24 12:16:10 2014
+++ src/sys/compat/netbsd32/netbsd32_ioctl.c	Sun Aug  2 11:29:10 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: netbsd32_ioctl.c,v 1.69 2014/01/24 12:16:10 bouyer Exp $	*/
+/*	$NetBSD: netbsd32_ioctl.c,v 1.69.4.1 2015/08/02 11:29:10 martin Exp $	*/
 
 /*
  * Copyright (c) 1998, 2001 Matthew R. Green
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_ioctl.c,v 1.69 2014/01/24 12:16:10 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_ioctl.c,v 1.69.4.1 2015/08/02 11:29:10 martin Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -137,7 +137,7 @@ netbsd32_to_if_addrprefreq(const struct 
 	strlcpy(ifap->ifap_name, ifap32->ifap_name, sizeof(ifap->ifap_name));
 	ifap->ifap_preference = ifap32->ifap_preference;
 	memcpy(&ifap->ifap_addr, &ifap32->ifap_addr,
-	    max(ifap32->ifap_addr.ss_len, _SS_MAXSIZE));
+	    min(ifap32->ifap_addr.ss_len, _SS_MAXSIZE));
 }
 
 static inline void
@@ -454,7 +454,7 @@ netbsd32_from_if_addrprefreq(const struc
 	strlcpy(ifap32->ifap_name, ifap->ifap_name, sizeof(ifap32->ifap_name));
 	ifap32->ifap_preference = ifap->ifap_preference;
 	memcpy(&ifap32->ifap_addr, &ifap->ifap_addr,
-	    max(ifap->ifap_addr.ss_len, _SS_MAXSIZE));
+	    min(ifap->ifap_addr.ss_len, _SS_MAXSIZE));
 }
 
 static inline void

Reply via email to