Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-2-0]: src/sys/net Pull up following revision(s) (requested by adr...
details:   https://anonhg.NetBSD.org/src/rev/337ef487a084
branches:  netbsd-2-0
changeset: 565016:337ef487a084
user:      bouyer <bouyer%NetBSD.org@localhost>
date:      Sun Nov 19 17:29:30 2006 +0000
description:
Pull up following revision(s) (requested by adrianp in ticket #10759):
        sys/net/if.c: revision 1.172 via patch
        sys/net/if.c: revision 1.173 via patch
        sys/net/if.c: revision 1.175 via patch
Avoid kernel memory disclose in if_clone_list().
diffstat:
 sys/net/if.c |  16 ++++++++++------
 1 files changed, 10 insertions(+), 6 deletions(-)
diffs (44 lines):
diff -r 62bce90bec5f -r 337ef487a084 sys/net/if.c
--- a/sys/net/if.c      Sun Oct 29 13:05:08 2006 +0000
+++ b/sys/net/if.c      Sun Nov 19 17:29:30 2006 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: if.c,v 1.139.2.1 2004/05/28 07:24:37 tron Exp $        */
+/*     $NetBSD: if.c,v 1.139.2.2 2006/11/19 17:29:30 bouyer Exp $      */
 
 /*-
  * Copyright (c) 1999, 2000, 2001 The NetBSD Foundation, Inc.
@@ -97,7 +97,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.139.2.1 2004/05/28 07:24:37 tron Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.139.2.2 2006/11/19 17:29:30 bouyer Exp $");
 
 #include "opt_inet.h"
 
@@ -888,9 +888,10 @@
 
        for (ifc = LIST_FIRST(&if_cloners); ifc != NULL && count != 0;
             ifc = LIST_NEXT(ifc, ifc_list), count--, dst += IFNAMSIZ) {
-               strncpy(outbuf, ifc->ifc_name, IFNAMSIZ);
-               outbuf[IFNAMSIZ - 1] = '\0';    /* sanity */
-               error = copyout(outbuf, dst, IFNAMSIZ);
+               (void)strncpy(outbuf, ifc->ifc_name, sizeof(outbuf));
+               if (outbuf[sizeof(outbuf) - 1] != '\0')
+                       return ENAMETOOLONG;
+               error = copyout(outbuf, dst, sizeof(outbuf));
                if (error)
                        break;
        }
@@ -1634,7 +1635,10 @@
                sign = 1;
        }
        TAILQ_FOREACH(ifp, &ifnet, if_list) {
-               bcopy(ifp->if_xname, ifr.ifr_name, IFNAMSIZ);
+               (void)strncpy(ifr.ifr_name, ifp->if_xname,
+                   sizeof(ifr.ifr_name));
+               if (ifr.ifr_name[sizeof(ifr.ifr_name) - 1] != '\0')
+                       return ENAMETOOLONG; 
                if ((ifa = TAILQ_FIRST(&ifp->if_addrlist)) == 0) {
                        memset(&ifr.ifr_addr, 0, sizeof(ifr.ifr_addr));
                        if (ifrp != NULL && space >= sz) {
Home |
Main Index |
Thread Index |
Old Index