d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

In the handling of the SIOC[DG]LIFADDR icotls in in_lifaddr_ioctl(), add

Browse Source 
missing interface address list locking and grab a reference on the
matching interface address after dropping the lock while it is used to
avoid a potential use after free.

Reviewed by:	bz
MFC after:	1 week
This commit is contained in:
jhb 2012-01-04 13:26:56 +00:00
parent 90b391fc12
commit bae1448c5e
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sys/netinet/in.c
View File

@ -784,6 +784,7 @@ in_lifaddr_ioctl(struct socket *so, u_long cmd, caddr_t data,
}
}
IF_ADDR_LOCK(ifp);
TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
if (ifa->ifa_addr->sa_family != AF_INET)
continue;
@ -794,6 +795,9 @@ in_lifaddr_ioctl(struct socket *so, u_long cmd, caddr_t data,
if (candidate.s_addr == match.s_addr)
break;
}
if (ifa != NULL)
ifa_ref(ifa);
IF_ADDR_UNLOCK(ifp);
if (ifa == NULL)
return (EADDRNOTAVAIL);
ia = (struct in_ifaddr *)ifa;
@ -812,6 +816,7 @@ in_lifaddr_ioctl(struct socket *so, u_long cmd, caddr_t data,
in_mask2len(&ia->ia_sockmask.sin_addr);
iflr->flags = 0; /*XXX*/
ifa_free(ifa);
return (0);
} else {
@ -830,6 +835,7 @@ in_lifaddr_ioctl(struct socket *so, u_long cmd, caddr_t data,
}
bcopy(&ia->ia_sockmask, &ifra.ifra_dstaddr,
ia->ia_sockmask.sin_len);
ifa_free(ifa);
return (in_control(so, SIOCDIFADDR, (caddr_t)&ifra,
ifp, td));