Allocate a struct ifreq rather than using a (wrong) computed size for

the BIOCSETIF ioctl. The kernel always copies an entire struct ifreq and IPv4 addresses will always fit in an ifreq. On systems with pointers larger than 64-bits, the computed size will be less than the size of struct ifreq, potentially resulting in the kernel attempting to copyin memory from outside the allocation. Reviewed by: jhb Obtained from: CheriBSD MFC after: 1 week Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D8445
2016-11-22 22:45:15 +00:00 · 2016-11-22 22:45:15 +00:00 · f2c99d387c
commit f2c99d387c
parent 295159dfa3
1 changed files with 2 additions and 2 deletions
--- a/sbin/dhclient/dispatch.c
+++ b/sbin/dhclient/dispatch.c
@ -106,8 +106,8 @@ discover_interfaces(struct interface_info *iface)
 			if (foo.sin_addr.s_addr == htonl(INADDR_LOOPBACK))
 				continue;
 			if (!iface->ifp) {
-				int len = IFNAMSIZ + ifa->ifa_addr->sa_len;
-				if ((tif = malloc(len)) == NULL)
+				if ((tif = calloc(1, sizeof(struct ifreq)))
+				    == NULL)
 					error("no space to remember ifp");
 				strlcpy(tif->ifr_name, ifa->ifa_name, IFNAMSIZ);
 				memcpy(&tif->ifr_addr, ifa->ifa_addr,