Partially revert r257696/r257713, which have an issue with writing to user

controlled address. Restore the old code that emulated OSIOCGIFCONF in if.c. Noticed by: C Turt
2016-07-24 10:10:09 +00:00 · 2016-07-24 10:10:09 +00:00 · 32e0ade6c4
commit 32e0ade6c4
parent fb112f72a8
2 changed files with 18 additions and 14 deletions
--- a/sys/compat/svr4/svr4_sockio.c
+++ b/sys/compat/svr4/svr4_sockio.c
@ -73,6 +73,8 @@ bsd_to_svr4_flags(bf)
 	return sf;
 }

+#define	OSIOCGIFCONF	_IOWR('i', 20, struct ifconf)
+
 int
 svr4_sock_ioctl(fp, td, retval, fd, cmd, data)
 	struct file *fp;
@ -144,7 +146,6 @@ svr4_sock_ioctl(fp, td, retval, fd, cmd, data)
 	case SVR4_SIOCGIFCONF:
 		{
 			struct svr4_ifconf sc;
-			struct ifconf *ifc;

 			if ((error = copyin(data, &sc, sizeof(sc))) != 0)
 				return error;
@ -153,19 +154,9 @@ svr4_sock_ioctl(fp, td, retval, fd, cmd, data)
 				sizeof(struct ifreq), sizeof(struct svr4_ifreq),
 				sc.svr4_ifc_len));

-			ifc = (struct ifconf *)&sc;
-			ifc->ifc_req->ifr_addr.sa_family =
-			    sc.svr4_ifc_req->svr4_ifr_addr.sa_family;
-			ifc->ifc_req->ifr_addr.sa_len =
-			    sizeof(struct osockaddr);
-
-			error = fo_ioctl(fp, SIOCGIFCONF, &sc, td->td_ucred,
-			    td);
-
-			sc.svr4_ifc_req->svr4_ifr_addr.sa_family =
-			    ifc->ifc_req->ifr_addr.sa_family;
-
-			if (error != 0)
+			if ((error = fo_ioctl(fp, OSIOCGIFCONF,
+					    (caddr_t) &sc, td->td_ucred,
+					    td)) != 0)
 				return error;

 			DPRINTF(("SIOCGIFCONF\n"));
--- a/sys/net/if.c
+++ b/sys/net/if.c
@ -2699,6 +2699,9 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td)
 	return (error);
 }

+/* COMPAT_SVR4 */
+#define	OSIOCGIFCONF	_IOWR('i', 20, struct ifconf)
+
 #ifdef COMPAT_FREEBSD32
 struct ifconf32 {
 	int32_t	ifc_len;
@ -2738,6 +2741,7 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct thread *td)

 	switch (cmd) {
 	case SIOCGIFCONF:
+	case OSIOCGIFCONF:	/* COMPAT_SVR4 */
 		error = ifconf(cmd, data);
 		CURVNET_RESTORE();
 		return (error);
@ -3009,6 +3013,15 @@ ifconf(u_long cmd, caddr_t data)
 			if (prison_if(curthread->td_ucred, sa) != 0)
 				continue;
 			addrs++;
+			/* COMPAT_SVR4 */
+			if (cmd == OSIOCGIFCONF) {
+				struct osockaddr *osa =
+				    (struct osockaddr *)&ifr.ifr_addr;
+				ifr.ifr_addr = *sa;
+				osa->sa_family = sa->sa_family;
+				sbuf_bcat(sb, &ifr, sizeof(ifr));
+				max_len += sizeof(ifr);
+			} else
 			if (sa->sa_len <= sizeof(*sa)) {
 				ifr.ifr_addr = *sa;
 				sbuf_bcat(sb, &ifr, sizeof(ifr));