CVS commit: [netbsd-6] src/sys/compat/netbsd32

Sun, 02 Aug 2015 05:51:07 -0700 

Module Name:    src
Committed By:   martin
Date:           Sun Aug  2 12:50:48 UTC 2015

Modified Files:
        src/sys/compat/netbsd32 [netbsd-6]: netbsd32_ioctl.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1318):
        sys/compat/netbsd32/netbsd32_ioctl.c: revision 1.82
Wrong logic. Here, userland can control the size and the data copied, which
basically means it can overflow kernel memory.
ok martin@ christos@


To generate a diff of this commit:
cvs rdiff -u -r1.64.8.1 -r1.64.8.2 src/sys/compat/netbsd32/netbsd32_ioctl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/compat/netbsd32/netbsd32_ioctl.c
diff -u src/sys/compat/netbsd32/netbsd32_ioctl.c:1.64.8.1 src/sys/compat/netbsd32/netbsd32_ioctl.c:1.64.8.2
--- src/sys/compat/netbsd32/netbsd32_ioctl.c:1.64.8.1	Tue Mar 18 07:18:22 2014
+++ src/sys/compat/netbsd32/netbsd32_ioctl.c	Sun Aug  2 12:50:48 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: netbsd32_ioctl.c,v 1.64.8.1 2014/03/18 07:18:22 msaitoh Exp $	*/
+/*	$NetBSD: netbsd32_ioctl.c,v 1.64.8.2 2015/08/02 12:50:48 martin Exp $	*/
 
 /*
  * Copyright (c) 1998, 2001 Matthew R. Green
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_ioctl.c,v 1.64.8.1 2014/03/18 07:18:22 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_ioctl.c,v 1.64.8.2 2015/08/02 12:50:48 martin Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -193,7 +193,7 @@ netbsd32_to_if_addrprefreq(const struct 
 	strlcpy(ifap->ifap_name, ifap32->ifap_name, sizeof(ifap->ifap_name));
 	ifap->ifap_preference = ifap32->ifap_preference;
 	memcpy(&ifap->ifap_addr, &ifap32->ifap_addr,
-	    max(ifap32->ifap_addr.ss_len, _SS_MAXSIZE));
+	    min(ifap32->ifap_addr.ss_len, _SS_MAXSIZE));
 }
 
 static inline void
@@ -443,7 +443,7 @@ netbsd32_from_if_addrprefreq(const struc
 	strlcpy(ifap32->ifap_name, ifap->ifap_name, sizeof(ifap32->ifap_name));
 	ifap32->ifap_preference = ifap->ifap_preference;
 	memcpy(&ifap32->ifap_addr, &ifap->ifap_addr,
-	    max(ifap->ifap_addr.ss_len, _SS_MAXSIZE));
+	    min(ifap->ifap_addr.ss_len, _SS_MAXSIZE));
 }
 
 static inline void

Reply via email to