Fri Jul 17 15:24:49 2020 UTC ()
Pull up following revision(s) (requested by msaitoh in ticket #1018):
sys/net/if.c: revision 1.479
sys/compat/common/uipc_syscalls_40.c: revision 1.23
sys/compat/linux/common/linux_socket.c: revision 1.150
sys/compat/linux32/common/linux32_socket.c: revision 1.31
Don't accept negative value.
(martin)
diff -r1.20 -r1.20.2.1 src/sys/compat/common/uipc_syscalls_40.c
diff -r1.145.4.1 -r1.145.4.2 src/sys/compat/linux/common/linux_socket.c
diff -r1.30 -r1.30.4.1 src/sys/compat/linux32/common/linux32_socket.c
diff -r1.457.2.3 -r1.457.2.4 src/sys/net/if.c
--- src/sys/compat/common/uipc_syscalls_40.c 2019/04/23 07:45:06 1.20
+++ src/sys/compat/common/uipc_syscalls_40.c 2020/07/17 15:24:48 1.20.2.1
@@ -1,9 +1,9 @@
-/* $NetBSD: uipc_syscalls_40.c,v 1.20 2019/04/23 07:45:06 msaitoh Exp $ */
+/* $NetBSD: uipc_syscalls_40.c,v 1.20.2.1 2020/07/17 15:24:48 martin Exp $ */
/* written by Pavel Cahyna, 2006. Public domain. */
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls_40.c,v 1.20 2019/04/23 07:45:06 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls_40.c,v 1.20.2.1 2020/07/17 15:24:48 martin Exp $");
#if defined(_KERNEL_OPT)
#include "opt_compat_netbsd.h"
@@ -54,11 +54,14 @@
return ENOSYS;
}
- memset(&ifr, 0, sizeof(ifr));
if (docopy) {
+ if (ifc->ifc_len < 0)
+ return EINVAL;
+
space = ifc->ifc_len;
ifrp = ifc->ifc_req;
}
+ memset(&ifr, 0, sizeof(ifr));
bound = curlwp_bind();
s = pserialize_read_enter();
--- src/sys/compat/linux/common/linux_socket.c 2019/09/13 06:25:25 1.145.4.1
+++ src/sys/compat/linux/common/linux_socket.c 2020/07/17 15:24:48 1.145.4.2
@@ -1,4 +1,4 @@
-/* $NetBSD: linux_socket.c,v 1.145.4.1 2019/09/13 06:25:25 martin Exp $ */
+/* $NetBSD: linux_socket.c,v 1.145.4.2 2020/07/17 15:24:48 martin Exp $ */
/*-
* Copyright (c) 1995, 1998, 2008 The NetBSD Foundation, Inc.
@@ -35,7 +35,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_socket.c,v 1.145.4.1 2019/09/13 06:25:25 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_socket.c,v 1.145.4.2 2020/07/17 15:24:48 martin Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -1140,12 +1140,15 @@
if (error)
return error;
- memset(&ifr, 0, sizeof(ifr));
docopy = ifc.ifc_req != NULL;
if (docopy) {
+ if (ifc.ifc_len < 0)
+ return EINVAL;
+
space = ifc.ifc_len;
ifrp = ifc.ifc_req;
}
+ memset(&ifr, 0, sizeof(ifr));
bound = curlwp_bind();
s = pserialize_read_enter();
--- src/sys/compat/linux32/common/linux32_socket.c 2019/04/18 17:45:12 1.30
+++ src/sys/compat/linux32/common/linux32_socket.c 2020/07/17 15:24:49 1.30.4.1
@@ -1,4 +1,4 @@
-/* $NetBSD: linux32_socket.c,v 1.30 2019/04/18 17:45:12 christos Exp $ */
+/* $NetBSD: linux32_socket.c,v 1.30.4.1 2020/07/17 15:24:49 martin Exp $ */
/*-
* Copyright (c) 2006 Emmanuel Dreyfus, all rights reserved.
@@ -33,7 +33,7 @@
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux32_socket.c,v 1.30 2019/04/18 17:45:12 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux32_socket.c,v 1.30.4.1 2020/07/17 15:24:49 martin Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -431,12 +431,15 @@
if (error)
return error;
- memset(&ifr, 0, sizeof(ifr));
docopy = NETBSD32PTR64(ifc.ifc_req) != NULL;
if (docopy) {
+ if (ifc.ifc_len < 0)
+ return EINVAL;
+
space = ifc.ifc_len;
ifrp = NETBSD32PTR64(ifc.ifc_req);
}
+ memset(&ifr, 0, sizeof(ifr));
bound = curlwp_bind();
s = pserialize_read_enter();
--- src/sys/net/if.c 2019/12/17 16:12:54 1.457.2.3
+++ src/sys/net/if.c 2020/07/17 15:24:48 1.457.2.4
@@ -1,4 +1,4 @@
-/* $NetBSD: if.c,v 1.457.2.3 2019/12/17 16:12:54 martin Exp $ */
+/* $NetBSD: if.c,v 1.457.2.4 2020/07/17 15:24:48 martin Exp $ */
/*-
* Copyright (c) 1999, 2000, 2001, 2008 The NetBSD Foundation, Inc.
@@ -90,7 +90,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.457.2.3 2019/12/17 16:12:54 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if.c,v 1.457.2.4 2020/07/17 15:24:48 martin Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -3465,11 +3465,14 @@
int bound;
struct psref psref;
- memset(&ifr, 0, sizeof(ifr));
if (docopy) {
+ if (ifc->ifc_len < 0)
+ return EINVAL;
+
space = ifc->ifc_len;
ifrp = ifc->ifc_req;
}
+ memset(&ifr, 0, sizeof(ifr));
bound = curlwp_bind();
s = pserialize_read_enter();