Author: brooks Date: Wed Nov 30 01:22:12 2016 New Revision: 309304 URL: https://svnweb.freebsd.org/changeset/base/309304
Log: MFC r309027: Allocate a struct ifreq rather than using a (wrong) computed size for the BIOCSETIF ioctl. The kernel always copies an entire struct ifreq and IPv4 addresses will always fit in an ifreq. On systems with pointers larger than 64-bits, the computed size will be less than the size of struct ifreq, potentially resulting in the kernel attempting to copyin memory from outside the allocation. Reviewed by: jhb Obtained from: CheriBSD Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D8445 Modified: stable/10/sbin/dhclient/dispatch.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sbin/dhclient/dispatch.c ============================================================================== --- stable/10/sbin/dhclient/dispatch.c Wed Nov 30 01:17:02 2016 (r309303) +++ stable/10/sbin/dhclient/dispatch.c Wed Nov 30 01:22:12 2016 (r309304) @@ -105,8 +105,8 @@ discover_interfaces(struct interface_inf if (foo.sin_addr.s_addr == htonl(INADDR_LOOPBACK)) continue; if (!iface->ifp) { - int len = IFNAMSIZ + ifa->ifa_addr->sa_len; - if ((tif = malloc(len)) == NULL) + if ((tif = calloc(1, sizeof(struct ifreq))) + == NULL) error("no space to remember ifp"); strlcpy(tif->ifr_name, ifa->ifa_name, IFNAMSIZ); memcpy(&tif->ifr_addr, ifa->ifa_addr, _______________________________________________ svn-src-stable-10@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10 To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
