Module Name: src Committed By: martin Date: Sat Oct 18 14:04:58 UTC 2014
Modified Files: src/sys/compat/freebsd [netbsd-7]: freebsd_sysctl.c Log Message: Pull up following revision(s) (requested by maxv in ticket #146): sys/compat/freebsd/freebsd_sysctl.c: revision 1.17 I'm not sure reading from an unsanitized userland pointer is a good idea. Some users might be tempted to give 0x01, in which case the kernel will crash. To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.16.4.1 src/sys/compat/freebsd/freebsd_sysctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/compat/freebsd/freebsd_sysctl.c diff -u src/sys/compat/freebsd/freebsd_sysctl.c:1.16 src/sys/compat/freebsd/freebsd_sysctl.c:1.16.4.1 --- src/sys/compat/freebsd/freebsd_sysctl.c:1.16 Tue Feb 25 18:30:09 2014 +++ src/sys/compat/freebsd/freebsd_sysctl.c Sat Oct 18 14:04:58 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: freebsd_sysctl.c,v 1.16 2014/02/25 18:30:09 pooka Exp $ */ +/* $NetBSD: freebsd_sysctl.c,v 1.16.4.1 2014/10/18 14:04:58 martin Exp $ */ /*- * Copyright (c) 2005 The NetBSD Foundation, Inc. @@ -31,7 +31,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: freebsd_sysctl.c,v 1.16 2014/02/25 18:30:09 pooka Exp $"); +__KERNEL_RCSID(0, "$NetBSD: freebsd_sysctl.c,v 1.16.4.1 2014/10/18 14:04:58 martin Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -90,7 +90,7 @@ freebsd_sys_sysctl(struct lwp *l, const } */ int error; int name[CTL_MAXNAME]; - size_t newlen, *oldlenp; + size_t newlen, *oldlenp, oldlen; u_int namelen; void *new, *old; @@ -141,9 +141,14 @@ freebsd_sys_sysctl(struct lwp *l, const old = SCARG(uap, old); oldlenp = SCARG(uap, oldlenp); - if (old == NULL || oldlenp == NULL || *oldlenp < sizeof(int)) + if (old == NULL || oldlenp == NULL) return(EINVAL); + if ((error = copyin(oldlenp, &oldlen, sizeof(oldlen)))) + return (error); + if (oldlen < sizeof(int)) + return (EINVAL); + if ((locnew = (char *) malloc(newlen + 1, M_TEMP, M_WAITOK)) == NULL) return(ENOMEM); @@ -163,11 +168,11 @@ freebsd_sys_sysctl(struct lwp *l, const oidlen *= sizeof(int); error = copyout(oid, SCARG(uap, old), - MIN(oidlen, *SCARG(uap, oldlenp))); + MIN(oidlen, oldlen)); if (error) return(error); ktrmibio(-1, UIO_READ, SCARG(uap, old), - MIN(oidlen, *SCARG(uap, oldlenp)), 0); + MIN(oidlen, oldlen), 0); error = copyout(&oidlen, SCARG(uap, oldlenp), sizeof(u_int));