git: c1576434e9cf - stable/13 - mfc jail: handle jailsys parameters in modification permission test

[Jamie Gritton]

The branch stable/13 has been updated by jamie:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=c1576434e9cf9c48b4d3975717c9f6cc6427cfd9

commit c1576434e9cf9c48b4d3975717c9f6cc6427cfd9
Author:     Jamie Gritton <ja...@freebsd.org>
AuthorDate: 2022-03-26 02:16:51 +0000
Commit:     Jamie Gritton <ja...@freebsd.org>
CommitDate: 2022-03-28 23:39:54 +0000

    mfc jail: handle jailsys parameters in modification permission test
    
    Avoid a null dereference when a value-less jailsys parameter is passed
    to "jail -m".  There was already code to handle boolean parameters,
    but in reality any parameter could be passed without a value.
    
    PR:             262471
    Reported by:    jcaplan at blackberry.com
    
    (cherry picked from commit 8f1543785f77086494c73310ba8f5d09b61ff7eb)
---
 usr.sbin/jail/jail.c | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c
index eb3b19f2cb82..63096146f176 100644
--- a/usr.sbin/jail/jail.c
+++ b/usr.sbin/jail/jail.c
@@ -790,7 +790,9 @@ static int
 rdtun_params(struct cfjail *j, int dofail)
 {
        struct jailparam *jp, *rtparams, *rtjp;
-       int nrt, rval;
+       const void *jp_value;
+       size_t jp_valuelen;
+       int nrt, rval, bool_true;
 
        if (j->flags & JF_RDTUN)
                return 0;
@@ -818,15 +820,25 @@ rdtun_params(struct cfjail *j, int dofail)
                rtjp = rtparams + 1;
                for (jp = j->jp; rtjp < rtparams + nrt; jp++) {
                        if (JP_RDTUN(jp) && strcmp(jp->jp_name, "jid")) {
-                               if (!((jp->jp_flags & (JP_BOOL | JP_NOBOOL)) &&
-                                   jp->jp_valuelen == 0 &&
-                                   *(int *)jp->jp_value) &&
-                                   !(rtjp->jp_valuelen == jp->jp_valuelen &&
-                                   !((jp->jp_ctltype & CTLTYPE) ==
-                                   CTLTYPE_STRING ? strncmp(rtjp->jp_value,
-                                   jp->jp_value, jp->jp_valuelen) :
-                                   memcmp(rtjp->jp_value, jp->jp_value,
-                                   jp->jp_valuelen)))) {
+                               jp_value = jp->jp_value;
+                               jp_valuelen = jp->jp_valuelen;
+                               if (jp_value == NULL && jp_valuelen > 0) {
+                                       if (jp->jp_flags & (JP_BOOL |
+                                           JP_NOBOOL | JP_JAILSYS)) {
+                                               bool_true = 1;
+                                               jp_value = &bool_true;
+                                               jp_valuelen = sizeof(bool_true);
+                                       } else if ((jp->jp_ctltype & CTLTYPE) ==
+                                           CTLTYPE_STRING)
+                                               jp_value = "";
+                                       else
+                                               jp_valuelen = 0;
+                               }
+                               if (rtjp->jp_valuelen != jp_valuelen ||
+                                   (CTLTYPE_STRING ? strncmp(rtjp->jp_value,
+                                   jp_value, jp_valuelen)
+                                   : memcmp(rtjp->jp_value, jp_value,
+                                   jp_valuelen))) {
                                        if (dofail) {
                                                jail_warnx(j, "%s cannot be "
                                                    "changed after creation",