CVS commit: [netbsd-6-1] src/sys/compat/freebsd

Sun, 19 Oct 2014 12:41:45 -0700 

Module Name:    src
Committed By:   snj
Date:           Sun Oct 19 19:40:55 UTC 2014

Modified Files:
        src/sys/compat/freebsd [netbsd-6-1]: freebsd_sysctl.c

Log Message:
Pull up following revision(s) (requested by maxv in ticket #1168):
        sys/compat/freebsd/freebsd_sysctl.c: revision 1.17
I'm not sure reading from an unsanitized userland pointer is a good idea.
Some users might be tempted to give 0x01, in which case the kernel will
crash.


To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.15.36.1 src/sys/compat/freebsd/freebsd_sysctl.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/compat/freebsd/freebsd_sysctl.c
diff -u src/sys/compat/freebsd/freebsd_sysctl.c:1.15 src/sys/compat/freebsd/freebsd_sysctl.c:1.15.36.1
--- src/sys/compat/freebsd/freebsd_sysctl.c:1.15	Wed Nov 19 18:36:02 2008
+++ src/sys/compat/freebsd/freebsd_sysctl.c	Sun Oct 19 19:40:55 2014
@@ -1,4 +1,4 @@
-/*	$NetBSD: freebsd_sysctl.c,v 1.15 2008/11/19 18:36:02 ad Exp $	*/
+/*	$NetBSD: freebsd_sysctl.c,v 1.15.36.1 2014/10/19 19:40:55 snj Exp $	*/
 
 /*-
  * Copyright (c) 2005 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: freebsd_sysctl.c,v 1.15 2008/11/19 18:36:02 ad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: freebsd_sysctl.c,v 1.15.36.1 2014/10/19 19:40:55 snj Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -95,7 +95,7 @@ freebsd_sys_sysctl(struct lwp *l, const 
 	} */
 	int error;
 	int name[CTL_MAXNAME];
-	size_t newlen, *oldlenp;
+	size_t newlen, *oldlenp, oldlen;
 	u_int namelen;
 	void *new, *old;
 
@@ -146,9 +146,14 @@ freebsd_sys_sysctl(struct lwp *l, const 
 
 		old = SCARG(uap, old);
 		oldlenp = SCARG(uap, oldlenp);
-		if (old == NULL || oldlenp == NULL || *oldlenp < sizeof(int))
+		if (old == NULL || oldlenp == NULL)
 			return(EINVAL);
 
+		if ((error = copyin(oldlenp, &oldlen, sizeof(oldlen))))
+			return (error);
+		if (oldlen < sizeof(int))
+			return (EINVAL);
+
 		if ((locnew =
 		     (char *) malloc(newlen + 1, M_TEMP, M_WAITOK)) == NULL)
 			return(ENOMEM);
@@ -168,11 +173,11 @@ freebsd_sys_sysctl(struct lwp *l, const 
 
 		oidlen *= sizeof(int);
 		error = copyout(oid, SCARG(uap, old),
-				MIN(oidlen, *SCARG(uap, oldlenp)));
+				MIN(oidlen, oldlen));
 		if (error)
 			return(error);
 		ktrmibio(-1, UIO_READ, SCARG(uap, old),
-		    MIN(oidlen, *SCARG(uap, oldlenp)),  0);
+		    MIN(oidlen, oldlen),  0);
 
 		error = copyout(&oidlen, SCARG(uap, oldlenp), sizeof(u_int));

Reply via email to