Allocate a struct ifreq rather than using a (wrong) computed size for
the BIOCSETIF ioctl. The kernel always copies an entire struct ifreq and IPv4 addresses will always fit in an ifreq. On systems with pointers larger than 64-bits, the computed size will be less than the size of struct ifreq, potentially resulting in the kernel attempting to copyin memory from outside the allocation. Reviewed by: jhb Obtained from: CheriBSD MFC after: 1 week Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D8445
This commit is contained in:
parent
295159dfa3
commit
f2c99d387c
@ -106,8 +106,8 @@ discover_interfaces(struct interface_info *iface)
|
|||||||
if (foo.sin_addr.s_addr == htonl(INADDR_LOOPBACK))
|
if (foo.sin_addr.s_addr == htonl(INADDR_LOOPBACK))
|
||||||
continue;
|
continue;
|
||||||
if (!iface->ifp) {
|
if (!iface->ifp) {
|
||||||
int len = IFNAMSIZ + ifa->ifa_addr->sa_len;
|
if ((tif = calloc(1, sizeof(struct ifreq)))
|
||||||
if ((tif = malloc(len)) == NULL)
|
== NULL)
|
||||||
error("no space to remember ifp");
|
error("no space to remember ifp");
|
||||||
strlcpy(tif->ifr_name, ifa->ifa_name, IFNAMSIZ);
|
strlcpy(tif->ifr_name, ifa->ifa_name, IFNAMSIZ);
|
||||||
memcpy(&tif->ifr_addr, ifa->ifa_addr,
|
memcpy(&tif->ifr_addr, ifa->ifa_addr,
|
||||||
|
Loading…
Reference in New Issue
Block a user