upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-02-18 18:20:26 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

net: Validate interface group names in ioctl handlers

Browse source 
The handlers were not checking that the group names are nul-terminated.
Add checks for this.

Reported by:	Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed by:	zlei
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D53344

(cherry picked from commit 32919a34f17ac1af99dec7376f22a8393c251602)
This commit is contained in:
Mark Johnston 2025-10-27 16:27:13 +00:00 committed by Franco Fichtner
parent 320050e120
commit 1c5715635a
1 changed files with 26 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
sys/net/if.c
View file

@ -2850,15 +2850,20 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td)
break;
case SIOCAIFGROUP:
{
const char *groupname;
error = priv_check(td, PRIV_NET_ADDIFGROUP);
if (error)
return (error);
error = if_addgroup(ifp,
((struct ifgroupreq *)data)->ifgr_group);
groupname = ((struct ifgroupreq *)data)->ifgr_group;
if (strnlen(groupname, IFNAMSIZ) == IFNAMSIZ)
return (EINVAL);
error = if_addgroup(ifp, groupname);
if (error != 0)
return (error);
break;
}
case SIOCGIFGROUP:
{
struct epoch_tracker et;
@ -2870,15 +2875,20 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td)
}
case SIOCDIFGROUP:
{
const char *groupname;
error = priv_check(td, PRIV_NET_DELIFGROUP);
if (error)
return (error);
error = if_delgroup(ifp,
((struct ifgroupreq *)data)->ifgr_group);
groupname = ((struct ifgroupreq *)data)->ifgr_group;
if (strnlen(groupname, IFNAMSIZ) == IFNAMSIZ)
return (EINVAL);
error = if_delgroup(ifp, groupname);
if (error != 0)
return (error);
break;
}
default:
error = ENOIOCTL;
break;
@ -3022,9 +3032,17 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct thread *td)
goto out_noref;
case SIOCGIFGMEMB:
error = if_getgroupmembers((struct ifgroupreq *)data);
goto out_noref;
{
struct ifgroupreq *req;
req = (struct ifgroupreq *)data;
if (strnlen(req->ifgr_name, IFNAMSIZ) == IFNAMSIZ) {
error = EINVAL;
goto out_noref;
}
error = if_getgroupmembers(req);
goto out_noref;
}
#if defined(INET) || defined(INET6)
case SIOCSVH:
case SIOCGVH: