Module Name: src Committed By: msaitoh Date: Mon Oct 27 12:38:29 UTC 2014
Modified Files: src/sys/compat/freebsd [netbsd-5-1]: freebsd_sysctl.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1926): sys/compat/freebsd/freebsd_sysctl.c: revision 1.17 I'm not sure reading from an unsanitized userland pointer is a good idea. Some users might be tempted to give 0x01, in which case the kernel will crash. To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.14.16.1 src/sys/compat/freebsd/freebsd_sysctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/compat/freebsd/freebsd_sysctl.c diff -u src/sys/compat/freebsd/freebsd_sysctl.c:1.14 src/sys/compat/freebsd/freebsd_sysctl.c:1.14.16.1 --- src/sys/compat/freebsd/freebsd_sysctl.c:1.14 Mon Apr 28 20:23:41 2008 +++ src/sys/compat/freebsd/freebsd_sysctl.c Mon Oct 27 12:38:29 2014 @@ -1,4 +1,4 @@ -/* $NetBSD: freebsd_sysctl.c,v 1.14 2008/04/28 20:23:41 martin Exp $ */ +/* $NetBSD: freebsd_sysctl.c,v 1.14.16.1 2014/10/27 12:38:29 msaitoh Exp $ */ /*- * Copyright (c) 2005 The NetBSD Foundation, Inc. @@ -31,7 +31,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: freebsd_sysctl.c,v 1.14 2008/04/28 20:23:41 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: freebsd_sysctl.c,v 1.14.16.1 2014/10/27 12:38:29 msaitoh Exp $"); #include <sys/param.h> #include <sys/systm.h> @@ -84,7 +84,7 @@ freebsd_sys_sysctl(struct lwp *l, const } */ int error; int name[CTL_MAXNAME]; - size_t newlen, *oldlenp; + size_t newlen, *oldlenp, oldlen; u_int namelen; void *new, *old; @@ -135,9 +135,14 @@ freebsd_sys_sysctl(struct lwp *l, const old = SCARG(uap, old); oldlenp = SCARG(uap, oldlenp); - if (old == NULL || oldlenp == NULL || *oldlenp < sizeof(int)) + if (old == NULL || oldlenp == NULL) return(EINVAL); + if ((error = copyin(oldlenp, &oldlen, sizeof(oldlen)))) + return (error); + if (oldlen < sizeof(int)) + return (EINVAL); + if ((locnew = (char *) malloc(newlen + 1, M_TEMP, M_WAITOK)) == NULL) return(ENOMEM); @@ -157,11 +162,11 @@ freebsd_sys_sysctl(struct lwp *l, const oidlen *= sizeof(int); error = copyout(oid, SCARG(uap, old), - MIN(oidlen, *SCARG(uap, oldlenp))); + MIN(oidlen, oldlen)); if (error) return(error); ktrmibio(-1, UIO_READ, SCARG(uap, old), - MIN(oidlen, *SCARG(uap, oldlenp)), 0); + MIN(oidlen, oldlen), 0); error = copyout(&oidlen, SCARG(uap, oldlenp), sizeof(u_int));