Sat Aug 19 05:37:06 2017 UTC ()
Pull up following revision(s) (requested by mrg in ticket #1488):
sys/altq/altq_cbq.c: revision 1.31
sys/altq/altq_hfsc.c: revision 1.27
sys/altq/altq_jobs.c: revision 1.11
sys/altq/altq_priq.c: revision 1.24
sys/altq/altq_wfq.c: revision 1.22
Zero buffers copied to userland to avoid stack disclosure.
From Ilja Van Sprundel.
--
Reject negative indices.
(Would be nice to change the types too, and it's *probably* safe to
replace int by u_int, but I'm reluctant to touch the ioctl
definitions without at least a modicum more thought. Also one of
them is a u_long, because why not?)
From Ilja Van Sprundel.
(snj)
diff -r1.26 -r1.26.18.1 src/sys/altq/altq_cbq.c
diff -r1.24 -r1.24.36.1 src/sys/altq/altq_hfsc.c
diff -r1.6.14.1 -r1.6.14.2 src/sys/altq/altq_jobs.c
diff -r1.21 -r1.21.18.1 src/sys/altq/altq_priq.c
diff -r1.19 -r1.19.34.1 src/sys/altq/altq_wfq.c
--- src/sys/altq/altq_cbq.c 2009/11/22 18:40:26 1.26
+++ src/sys/altq/altq_cbq.c 2017/08/19 05:37:06 1.26.18.1
@@ -1,4 +1,4 @@
-/* $NetBSD: altq_cbq.c,v 1.26 2009/11/22 18:40:26 mbalmer Exp $ */
+/* $NetBSD: altq_cbq.c,v 1.26.18.1 2017/08/19 05:37:06 snj Exp $ */
/* $KAME: altq_cbq.c,v 1.21 2005/04/13 03:44:24 suz Exp $ */
/*
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.26 2009/11/22 18:40:26 mbalmer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_cbq.c,v 1.26.18.1 2017/08/19 05:37:06 snj Exp $");
#ifdef _KERNEL_OPT
#include "opt_altq.h"
@@ -472,6 +472,7 @@
if (*nbytes < sizeof(stats))
return (EINVAL);
+ memset(&stats, 0, sizeof(stats));
get_class_stats(&stats, cl);
if ((error = copyout((void *)&stats, ubuf, sizeof(stats))) != 0)
@@ -876,6 +877,7 @@
if (++i >= CBQ_MAX_CLASSES)
goto out;
+ memset(&stats, 0, sizeof(stats));
get_class_stats(&stats, cl);
stats.handle = cl->stats_.handle;
--- src/sys/altq/altq_hfsc.c 2008/06/18 09:06:27 1.24
+++ src/sys/altq/altq_hfsc.c 2017/08/19 05:37:06 1.24.36.1
@@ -1,4 +1,4 @@
-/* $NetBSD: altq_hfsc.c,v 1.24 2008/06/18 09:06:27 yamt Exp $ */
+/* $NetBSD: altq_hfsc.c,v 1.24.36.1 2017/08/19 05:37:06 snj Exp $ */
/* $KAME: altq_hfsc.c,v 1.26 2005/04/13 03:44:24 suz Exp $ */
/*
@@ -43,7 +43,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.24 2008/06/18 09:06:27 yamt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_hfsc.c,v 1.24.36.1 2017/08/19 05:37:06 snj Exp $");
#ifdef _KERNEL_OPT
#include "opt_altq.h"
@@ -313,6 +313,7 @@
if (*nbytes < sizeof(stats))
return (EINVAL);
+ memset(&stats, 0, sizeof(stats));
get_class_stats(&stats, cl);
if ((error = copyout((void *)&stats, ubuf, sizeof(stats))) != 0)
--- src/sys/altq/altq_jobs.c 2014/11/03 15:08:44 1.6.14.1
+++ src/sys/altq/altq_jobs.c 2017/08/19 05:37:06 1.6.14.2
@@ -1,4 +1,4 @@
-/* $NetBSD: altq_jobs.c,v 1.6.14.1 2014/11/03 15:08:44 msaitoh Exp $ */
+/* $NetBSD: altq_jobs.c,v 1.6.14.2 2017/08/19 05:37:06 snj Exp $ */
/* $KAME: altq_jobs.c,v 1.11 2005/04/13 03:44:25 suz Exp $ */
/*
* Copyright (c) 2001, the Rector and Board of Visitors of the
@@ -59,7 +59,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_jobs.c,v 1.6.14.1 2014/11/03 15:08:44 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_jobs.c,v 1.6.14.2 2017/08/19 05:37:06 snj Exp $");
#ifdef _KERNEL_OPT
#include "opt_altq.h"
@@ -2111,10 +2111,9 @@
usp = ap->stats;
for (pri = 0; pri <= jif->jif_maxpri; pri++) {
cl = jif->jif_classes[pri];
+ (void)memset(&stats, 0, sizeof(stats));
if (cl != NULL)
get_class_stats(&stats, cl);
- else
- (void)memset(&stats, 0, sizeof(stats));
if ((error = copyout((void *)&stats, (void *)usp++,
sizeof(stats))) != 0)
return (error);
--- src/sys/altq/altq_priq.c 2009/03/14 15:35:58 1.21
+++ src/sys/altq/altq_priq.c 2017/08/19 05:37:06 1.21.18.1
@@ -1,4 +1,4 @@
-/* $NetBSD: altq_priq.c,v 1.21 2009/03/14 15:35:58 dsl Exp $ */
+/* $NetBSD: altq_priq.c,v 1.21.18.1 2017/08/19 05:37:06 snj Exp $ */
/* $KAME: altq_priq.c,v 1.13 2005/04/13 03:44:25 suz Exp $ */
/*
* Copyright (C) 2000-2003
@@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_priq.c,v 1.21 2009/03/14 15:35:58 dsl Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_priq.c,v 1.21.18.1 2017/08/19 05:37:06 snj Exp $");
#ifdef _KERNEL_OPT
#include "opt_altq.h"
@@ -219,6 +219,7 @@
if (*nbytes < sizeof(stats))
return (EINVAL);
+ memset(&stats, 0, sizeof(stats));
get_class_stats(&stats, cl);
if ((error = copyout((void *)&stats, ubuf, sizeof(stats))) != 0)
--- src/sys/altq/altq_wfq.c 2008/09/11 17:58:59 1.19
+++ src/sys/altq/altq_wfq.c 2017/08/19 05:37:06 1.19.34.1
@@ -1,4 +1,4 @@
-/* $NetBSD: altq_wfq.c,v 1.19 2008/09/11 17:58:59 joerg Exp $ */
+/* $NetBSD: altq_wfq.c,v 1.19.34.1 2017/08/19 05:37:06 snj Exp $ */
/* $KAME: altq_wfq.c,v 1.14 2005/04/13 03:44:25 suz Exp $ */
/*
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: altq_wfq.c,v 1.19 2008/09/11 17:58:59 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: altq_wfq.c,v 1.19.34.1 2017/08/19 05:37:06 snj Exp $");
#ifdef _KERNEL_OPT
#include "opt_altq.h"
@@ -518,14 +518,15 @@
wfq *queue;
int old;
- if (swp->weight < 0) {
- printf("set weight in natural number\n");
+ if (swp->weight < 0)
return (EINVAL);
- }
if ((wfqp = altq_lookup(swp->iface.wfq_ifacename, ALTQT_WFQ)) == NULL)
return (EBADF);
+ if (swp->qid < 0 || swp->qid >= wfqp->nums)
+ return (EINVAL);
+
queue = &wfqp->queue[swp->qid];
old = queue->weight;
queue->weight = swp->weight;
@@ -544,7 +545,7 @@
if ((wfqp = altq_lookup(gsp->iface.wfq_ifacename, ALTQT_WFQ)) == NULL)
return (EBADF);
- if (gsp->qid >= wfqp->nums)
+ if (gsp->qid < 0 || gsp->qid >= wfqp->nums)
return (EINVAL);
queue = &wfqp->queue[gsp->qid];