[src/trunk]: src/sys/netinet6 add boundary check for nd6_ifinfo (otherwise nd...

[itojun <itojun%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/d0e0eaec619a
branches:  trunk
changeset: 485109:d0e0eaec619a
user:      itojun <itojun%NetBSD.org@localhost>
date:      Wed Apr 19 07:13:03 2000 +0000

description:
add boundary check for nd6_ifinfo (otherwise ndp -i can make out-of-bound
accesses).

diffstat:

 sys/netinet6/nd6.c |  24 +++++++++++++++++-------
 1 files changed, 17 insertions(+), 7 deletions(-)

diffs (73 lines):

diff -r c6496e057e13 -r d0e0eaec619a sys/netinet6/nd6.c
--- a/sys/netinet6/nd6.c        Wed Apr 19 06:50:27 2000 +0000
+++ b/sys/netinet6/nd6.c        Wed Apr 19 07:13:03 2000 +0000
@@ -1,5 +1,5 @@
-/*     $NetBSD: nd6.c,v 1.26 2000/04/16 15:28:00 itojun Exp $  */
-/*     $KAME: nd6.c,v 1.55 2000/04/16 14:08:30 itojun Exp $    */
+/*     $NetBSD: nd6.c,v 1.27 2000/04/19 07:13:03 itojun Exp $  */
+/*     $KAME: nd6.c,v 1.56 2000/04/19 06:17:43 itojun Exp $    */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -95,6 +95,7 @@
 static int nd6_inuse, nd6_allocated;
 
 struct llinfo_nd6 llinfo_nd6 = {&llinfo_nd6, &llinfo_nd6};
+static size_t nd_ifinfo_indexlim = 8;
 struct nd_ifinfo *nd_ifinfo = NULL;
 struct nd_drhead nd_defrouter;
 struct nd_prhead nd_prefix = { 0 };
@@ -137,21 +138,20 @@
 nd6_ifattach(ifp)
        struct ifnet *ifp;
 {
-       static size_t if_indexlim = 8;
 
        /*
         * We have some arrays that should be indexed by if_index.
         * since if_index will grow dynamically, they should grow too.
         */
-       if (nd_ifinfo == NULL || if_index >= if_indexlim) {
+       if (nd_ifinfo == NULL || if_index >= nd_ifinfo_indexlim) {
                size_t n;
                caddr_t q;
 
-               while (if_index >= if_indexlim)
-                       if_indexlim <<= 1;
+               while (if_index >= nd_ifinfo_indexlim)
+                       nd_ifinfo_indexlim <<= 1;
 
                /* grow nd_ifinfo */
-               n = if_indexlim * sizeof(struct nd_ifinfo);
+               n = nd_ifinfo_indexlim * sizeof(struct nd_ifinfo);
                q = (caddr_t)malloc(n, M_IP6NDP, M_WAITOK);
                bzero(q, n);
                if (nd_ifinfo) {
@@ -1394,10 +1394,18 @@
 
                break;
        case SIOCGIFINFO_IN6:
+               if (!nd_ifinfo || i >= nd_ifinfo_indexlim) {
+                       error = EINVAL;
+                       break;
+               }
                ndi->ndi = nd_ifinfo[ifp->if_index];
                break;
        case SIOCSIFINFO_FLAGS:
                /* XXX: almost all other fields of ndi->ndi is unused */
+               if (!nd_ifinfo || i >= nd_ifinfo_indexlim) {
+                       error = EINVAL;
+                       break;
+               }
                nd_ifinfo[ifp->if_index].flags = ndi->ndi.flags;
                break;
        case SIOCSNDFLUSH_IN6:  /* XXX: the ioctl name is confusing... */
@@ -1707,6 +1715,8 @@
        callout_reset(&nd6_slowtimo_ch, ND6_SLOWTIMER_INTERVAL * hz,
            nd6_slowtimo, NULL);
        for (i = 1; i < if_index + 1; i++) {
+               if (!nd_ifinfo || i >= nd_ifinfo_indexlim)
+                       continue;
                nd6if = &nd_ifinfo[i];
                if (nd6if->basereachable && /* already initialized */
                    (nd6if->recalctm -= ND6_SLOWTIMER_INTERVAL) <= 0) {