svn commit: r360285 - head/sys/net80211

Fri, 24 Apr 2020 15:10:41 -0700 

Author: jhb
Date: Fri Apr 24 22:10:02 2020
New Revision: 360285
URL: https://svnweb.freebsd.org/changeset/base/360285

Log:
  Don't indirect user pointers directly in two 802.11s ioctls.
  
  IEEE80211_MESH_RTCMD_ADD was invoking memcmp() to validate the
  supplied address directly on the user pointer rather than first doing
  a copyin() and validating the copied value.
  
  IEEE80211_MESH_RTCMD_DELETE was passing the user pointer directly to
  ieee80211_mesh_rt_del() rather than copying the user buffer into a
  temporary kernel buffer.
  
  Reviewed by:  brooks, kib
  Obtained from:        CheriBSD
  MFC after:    2 weeks
  Sponsored by: DARPA
  Differential Revision:        https://reviews.freebsd.org/D24562

Modified:
  head/sys/net80211/ieee80211_mesh.c

Modified: head/sys/net80211/ieee80211_mesh.c
==============================================================================
--- head/sys/net80211/ieee80211_mesh.c  Fri Apr 24 22:04:14 2020        
(r360284)
+++ head/sys/net80211/ieee80211_mesh.c  Fri Apr 24 22:10:02 2020        
(r360285)
@@ -3575,16 +3575,21 @@ mesh_ioctl_set80211(struct ieee80211vap *vap, struct i
                        ieee80211_mesh_rt_flush(vap);
                        break;
                case IEEE80211_MESH_RTCMD_ADD:
-                       if (IEEE80211_ADDR_EQ(vap->iv_myaddr, ireq->i_data) ||
-                           IEEE80211_ADDR_EQ(broadcastaddr, ireq->i_data))
-                               return EINVAL;
-                       error = copyin(ireq->i_data, &tmpaddr,
+                       error = copyin(ireq->i_data, tmpaddr,
                            IEEE80211_ADDR_LEN);
-                       if (error == 0)
-                               ieee80211_mesh_discover(vap, tmpaddr, NULL);
+                       if (error != 0)
+                               break;
+                       if (IEEE80211_ADDR_EQ(vap->iv_myaddr, tmpaddr) ||
+                           IEEE80211_ADDR_EQ(broadcastaddr, tmpaddr))
+                               return EINVAL;
+                       ieee80211_mesh_discover(vap, tmpaddr, NULL);
                        break;
                case IEEE80211_MESH_RTCMD_DELETE:
-                       ieee80211_mesh_rt_del(vap, ireq->i_data);
+                       error = copyin(ireq->i_data, tmpaddr,
+                           IEEE80211_ADDR_LEN);
+                       if (error != 0)
+                               break;
+                       ieee80211_mesh_rt_del(vap, tmpaddr);
                        break;
                default:
                        return ENOSYS;
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to