Bug 17492

Summary: There is a bug in SIOCGIFCONF ioctl code
Product: Base System Reporter: alo <alo>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description alo 2000-03-19 21:40:01 UTC 
There is a bug in net/if.c in function ifconf where variable space
is compared with sizeof(ifr).  sizeof appears to always be
unsigned and int space, which can be negative, gets converted into
unsigned and is a very large number and greater than sizeof(ifr).

Fix: 

Change all sizeof(ifr) etc into (int)(sizeof(ifr))
How-To-Repeat: It may be a little bit tricky to adjust all parameters
but it definitely is possible.
Comment 1 patrick 2000-03-30 17:27:41 UTC 
This bug is the same as described in PR kern/17311.

Basically what goes wrong is that the variable "space" can be decremented
too much resulting in a negative number.

Then, when you do a compare between space and sizeof(xxx) to verify if there
is enough room for the next interface config structure, the comparison
succeeds because with the "signed" int (space) gets silently casted to an
"unsigned" int, (which of course is fairly large).


PR 17311 contains a more complete fix than just changing all sizeof(xxx) to
(int)sizeof(xxx), which may result in incomplete structures being copied
over.

Patrick.
Comment 2 Johan Karlsson freebsd_committer freebsd_triage 2000-08-21 20:13:08 UTC 
State Changed
From-To: open->closed

Duplicate of PR 17311 
http://www.FreeBSD.org/cgi/query-pr.cgi?pr=17311