Module Name: src Committed By: martin Date: Sun Aug 2 12:50:48 UTC 2015
Modified Files: src/sys/compat/netbsd32 [netbsd-6]: netbsd32_ioctl.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1318): sys/compat/netbsd32/netbsd32_ioctl.c: revision 1.82 Wrong logic. Here, userland can control the size and the data copied, which basically means it can overflow kernel memory. ok martin@ christos@ To generate a diff of this commit: cvs rdiff -u -r1.64.8.1 -r1.64.8.2 src/sys/compat/netbsd32/netbsd32_ioctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/compat/netbsd32/netbsd32_ioctl.c diff -u src/sys/compat/netbsd32/netbsd32_ioctl.c:1.64.8.1 src/sys/compat/netbsd32/netbsd32_ioctl.c:1.64.8.2 --- src/sys/compat/netbsd32/netbsd32_ioctl.c:1.64.8.1 Tue Mar 18 07:18:22 2014 +++ src/sys/compat/netbsd32/netbsd32_ioctl.c Sun Aug 2 12:50:48 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: netbsd32_ioctl.c,v 1.64.8.1 2014/03/18 07:18:22 msaitoh Exp $ */ +/* $NetBSD: netbsd32_ioctl.c,v 1.64.8.2 2015/08/02 12:50:48 martin Exp $ */ /* * Copyright (c) 1998, 2001 Matthew R. Green @@ -31,7 +31,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: netbsd32_ioctl.c,v 1.64.8.1 2014/03/18 07:18:22 msaitoh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: netbsd32_ioctl.c,v 1.64.8.2 2015/08/02 12:50:48 martin Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -193,7 +193,7 @@ netbsd32_to_if_addrprefreq(const struct strlcpy(ifap->ifap_name, ifap32->ifap_name, sizeof(ifap->ifap_name)); ifap->ifap_preference = ifap32->ifap_preference; memcpy(&ifap->ifap_addr, &ifap32->ifap_addr, - max(ifap32->ifap_addr.ss_len, _SS_MAXSIZE)); + min(ifap32->ifap_addr.ss_len, _SS_MAXSIZE)); } static inline void @@ -443,7 +443,7 @@ netbsd32_from_if_addrprefreq(const struc strlcpy(ifap32->ifap_name, ifap->ifap_name, sizeof(ifap32->ifap_name)); ifap32->ifap_preference = ifap->ifap_preference; memcpy(&ifap32->ifap_addr, &ifap->ifap_addr, - max(ifap->ifap_addr.ss_len, _SS_MAXSIZE)); + min(ifap->ifap_addr.ss_len, _SS_MAXSIZE)); } static inline void