The mmap call to allocate a buffer for SIOCGIFCONF had no
MAP_FAILED check before the buffer was passed to dev_ifconf.
If mmap fails under memory pressure, pfinet would crash
writing to address (void *)-1.
* pfinet/pfinet-ops.c (S_pfinet_siocgifconf): Check ifc.ifc_buf
for MAP_FAILED immediately after mmap, release global_lock and
return ENOMEM on failure.
---
pfinet/pfinet-ops.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/pfinet/pfinet-ops.c b/pfinet/pfinet-ops.c
index fab57570..796d6241 100644
--- a/pfinet/pfinet-ops.c
+++ b/pfinet/pfinet-ops.c
@@ -77,8 +77,15 @@ S_pfinet_siocgifconf (io_t port,
{
/* Possibly allocate a new buffer. */
if (*len < amount)
- ifc.ifc_buf = (char *) mmap (0, amount, PROT_READ|PROT_WRITE,
- MAP_ANON, 0, 0);
+ {
+ ifc.ifc_buf = (char *) mmap (0, amount, PROT_READ|PROT_WRITE,
+ MAP_ANON, 0, 0);
+ if (ifc.ifc_buf == MAP_FAILED)
+ {
+ pthread_mutex_unlock (&global_lock);
+ return ENOMEM;
+ }
+ }
else
ifc.ifc_buf = *ifr;
err = dev_ifconf ((char *) &ifc);
--
2.54.0
