Bug 12996
| Summary: | ifconf in sys/net/if.c returns larger buffer than filled | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | Reinier Bezuidenhout <rbezuide> | ||||||
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||||
| Status: | Closed FIXED | ||||||||
| Severity: | Affects Only Me | ||||||||
| Priority: | Normal | ||||||||
| Version: | 3.2-STABLE | ||||||||
| Hardware: | Any | ||||||||
| OS: | Any | ||||||||
| Attachments: |
|
||||||||
This PR should be closed by the fix included in kern/17311. http://www.freebsd.org/cgi/query-pr.cgi?pr=17311 -- Patrick Bihan-Faou MindStep Corporation State Changed From-To: open->feedback Please chck if rev. 1.86 of if.c (in 5.0-current) or rev 1.85.2.1 (4.-stable) fixes it State Changed From-To: feedback->closed This problem was fixed a long time ago, but only onw of the two PRs reporting it was closed. |
When a program calls the SIOCGIFCONF ioctl and the function ifconf in sys/net/if.c is executed, the value that is returned in ifc.ifc_len could be longer than what was filled in the buffer causing the calling process to read more data an crash. Example ... The calling process sends 16384 (512 * 32) as the size of the buffer. ifconf loops through the number of interfaces and sees that there are more interfaces than can fit into this buffer. It then fills the buffer to 16344 bytes and the one of the checks fail ... ifconf doesn't return 16344 but still returns 16384. This causes the calling process to think that there is still one more interface is the buffer it received, which there is not. e.g. program sendmail Sendmail 8.9.3/8.8.5 (fixed in 8.10) It could also happen to other programs. Fix: Checking was added to sendmail 8.10 for this. in sys/net/if.c add code to only return the exact amount of data written into the buffer. Example patch - not the best way. Please check :) ifrp = ifc->ifc_req; for (; space > sizeof (ifr) && ifp; ifp = ifp->if_link.tqe_next) { --- 814,820 ---- register struct ifnet *ifp = ifnet.tqh_first; register struct ifaddr *ifa; struct ifreq ifr, *ifrp; ! int space = ifc->ifc_len, error = 0, unused = 0; ifrp = ifc->ifc_req; for (; space > sizeof (ifr) && ifp; ifp = ifp->if_link.tqe_next) { *************** How-To-Repeat: Configure a 3.2-STABLE kernel with more than 256 devices. Boot. Delete all devices configured devices (not delete, just ifconfig fxp0 delete). run newaliases It generates a segmentation fault.