Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-7]: src/sys/compat/netbsd32 Pull up following revision(s) (reques...

details:   https://anonhg.NetBSD.org/src/rev/bce89e54640f
branches:  netbsd-7
changeset: 799529:bce89e54640f
user:      martin <martin%NetBSD.org@localhost>
date:      Sun Aug 02 11:29:10 2015 +0000

description:
Pull up following revision(s) (requested by maxv in ticket #930):
        sys/compat/netbsd32/netbsd32_ioctl.c: revision 1.82
Wrong logic. Here, userland can control the size and the data copied, which
basically means it can overflow kernel memory.
ok martin@ christos@

diffstat:

 sys/compat/netbsd32/netbsd32_ioctl.c |  8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diffs (36 lines):

diff -r 78e5bb75e466 -r bce89e54640f sys/compat/netbsd32/netbsd32_ioctl.c
--- a/sys/compat/netbsd32/netbsd32_ioctl.c      Fri Jul 31 17:55:21 2015 +0000
+++ b/sys/compat/netbsd32/netbsd32_ioctl.c      Sun Aug 02 11:29:10 2015 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: netbsd32_ioctl.c,v 1.69 2014/01/24 12:16:10 bouyer Exp $       */
+/*     $NetBSD: netbsd32_ioctl.c,v 1.69.4.1 2015/08/02 11:29:10 martin Exp $   */
 
 /*
  * Copyright (c) 1998, 2001 Matthew R. Green
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_ioctl.c,v 1.69 2014/01/24 12:16:10 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_ioctl.c,v 1.69.4.1 2015/08/02 11:29:10 martin Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -137,7 +137,7 @@
        strlcpy(ifap->ifap_name, ifap32->ifap_name, sizeof(ifap->ifap_name));
        ifap->ifap_preference = ifap32->ifap_preference;
        memcpy(&ifap->ifap_addr, &ifap32->ifap_addr,
-           max(ifap32->ifap_addr.ss_len, _SS_MAXSIZE));
+           min(ifap32->ifap_addr.ss_len, _SS_MAXSIZE));
 }
 
 static inline void
@@ -454,7 +454,7 @@
        strlcpy(ifap32->ifap_name, ifap->ifap_name, sizeof(ifap32->ifap_name));
        ifap32->ifap_preference = ifap->ifap_preference;
        memcpy(&ifap32->ifap_addr, &ifap->ifap_addr,
-           max(ifap->ifap_addr.ss_len, _SS_MAXSIZE));
+           min(ifap->ifap_addr.ss_len, _SS_MAXSIZE));
 }
 
 static inline void
Home | Main Index | Thread Index | Old Index