Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-6]: src/sys/compat/netbsd32 Pull up following revision(s) (reques...

details:   https://anonhg.NetBSD.org/src/rev/9e0f371a2d93
branches:  netbsd-6
changeset: 776986:9e0f371a2d93
user:      martin <martin%NetBSD.org@localhost>
date:      Sun Aug 02 12:50:48 2015 +0000

description:
Pull up following revision(s) (requested by maxv in ticket #1318):
        sys/compat/netbsd32/netbsd32_ioctl.c: revision 1.82
Wrong logic. Here, userland can control the size and the data copied, which
basically means it can overflow kernel memory.
ok martin@ christos@

diffstat:

 sys/compat/netbsd32/netbsd32_ioctl.c |  8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diffs (36 lines):

diff -r 761f47c4a029 -r 9e0f371a2d93 sys/compat/netbsd32/netbsd32_ioctl.c
--- a/sys/compat/netbsd32/netbsd32_ioctl.c      Fri Jul 24 07:40:57 2015 +0000
+++ b/sys/compat/netbsd32/netbsd32_ioctl.c      Sun Aug 02 12:50:48 2015 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: netbsd32_ioctl.c,v 1.64.8.1 2014/03/18 07:18:22 msaitoh Exp $  */
+/*     $NetBSD: netbsd32_ioctl.c,v 1.64.8.2 2015/08/02 12:50:48 martin Exp $   */
 
 /*
  * Copyright (c) 1998, 2001 Matthew R. Green
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: netbsd32_ioctl.c,v 1.64.8.1 2014/03/18 07:18:22 msaitoh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: netbsd32_ioctl.c,v 1.64.8.2 2015/08/02 12:50:48 martin Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -193,7 +193,7 @@
        strlcpy(ifap->ifap_name, ifap32->ifap_name, sizeof(ifap->ifap_name));
        ifap->ifap_preference = ifap32->ifap_preference;
        memcpy(&ifap->ifap_addr, &ifap32->ifap_addr,
-           max(ifap32->ifap_addr.ss_len, _SS_MAXSIZE));
+           min(ifap32->ifap_addr.ss_len, _SS_MAXSIZE));
 }
 
 static inline void
@@ -443,7 +443,7 @@
        strlcpy(ifap32->ifap_name, ifap->ifap_name, sizeof(ifap32->ifap_name));
        ifap32->ifap_preference = ifap->ifap_preference;
        memcpy(&ifap32->ifap_addr, &ifap->ifap_addr,
-           max(ifap->ifap_addr.ss_len, _SS_MAXSIZE));
+           min(ifap->ifap_addr.ss_len, _SS_MAXSIZE));
 }
 
 static inline void
Home | Main Index | Thread Index | Old Index