Module Name: src Committed By: snj Date: Sun Oct 19 19:40:55 UTC 2014
Modified Files: src/sys/compat/freebsd [netbsd-6-1]: freebsd_sysctl.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1168): sys/compat/freebsd/freebsd_sysctl.c: revision 1.17 I'm not sure reading from an unsanitized userland pointer is a good idea. Some users might be tempted to give 0x01, in which case the kernel will crash. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.15.36.1 src/sys/compat/freebsd/freebsd_sysctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/compat/freebsd/freebsd_sysctl.c diff -u src/sys/compat/freebsd/freebsd_sysctl.c:1.15 src/sys/compat/freebsd/freebsd_sysctl.c:1.15.36.1 --- src/sys/compat/freebsd/freebsd_sysctl.c:1.15 Wed Nov 19 18:36:02 2008 +++ src/sys/compat/freebsd/freebsd_sysctl.c Sun Oct 19 19:40:55 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: freebsd_sysctl.c,v 1.15 2008/11/19 18:36:02 ad Exp $ */ +/* $NetBSD: freebsd_sysctl.c,v 1.15.36.1 2014/10/19 19:40:55 snj Exp $ */ /*- * Copyright (c) 2005 The NetBSD Foundation, Inc. @@ -31,7 +31,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: freebsd_sysctl.c,v 1.15 2008/11/19 18:36:02 ad Exp $"); +__KERNEL_RCSID(0, "$NetBSD: freebsd_sysctl.c,v 1.15.36.1 2014/10/19 19:40:55 snj Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -95,7 +95,7 @@ freebsd_sys_sysctl(struct lwp *l, const } */ int error; int name[CTL_MAXNAME]; - size_t newlen, *oldlenp; + size_t newlen, *oldlenp, oldlen; u_int namelen; void *new, *old; @@ -146,9 +146,14 @@ freebsd_sys_sysctl(struct lwp *l, const old = SCARG(uap, old); oldlenp = SCARG(uap, oldlenp); - if (old == NULL || oldlenp == NULL || *oldlenp < sizeof(int)) + if (old == NULL || oldlenp == NULL) return(EINVAL); + if ((error = copyin(oldlenp, &oldlen, sizeof(oldlen)))) + return (error); + if (oldlen < sizeof(int)) + return (EINVAL); + if ((locnew = (char *) malloc(newlen + 1, M_TEMP, M_WAITOK)) == NULL) return(ENOMEM); @@ -168,11 +173,11 @@ freebsd_sys_sysctl(struct lwp *l, const oidlen *= sizeof(int); error = copyout(oid, SCARG(uap, old), - MIN(oidlen, *SCARG(uap, oldlenp))); + MIN(oidlen, oldlen)); if (error) return(error); ktrmibio(-1, UIO_READ, SCARG(uap, old), - MIN(oidlen, *SCARG(uap, oldlenp)), 0); + MIN(oidlen, oldlen), 0); error = copyout(&oidlen, SCARG(uap, oldlenp), sizeof(u_int));