From 32e0ade6c4a0a3277f467df5f7d14daa2a03f9b0 Mon Sep 17 00:00:00 2001
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Sun, 24 Jul 2016 10:10:09 +0000
Subject: [PATCH] Partially revert r257696/r257713, which have an issue with
 writing to user controlled address. Restore the old code that emulated
 OSIOCGIFCONF in if.c.

Noticed by:	C Turt
---
 sys/compat/svr4/svr4_sockio.c | 19 +++++--------------
 sys/net/if.c                  | 13 +++++++++++++
 2 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/sys/compat/svr4/svr4_sockio.c b/sys/compat/svr4/svr4_sockio.c
index 6e10e3f6a30..9b7f994d2e7 100644
--- a/sys/compat/svr4/svr4_sockio.c
+++ b/sys/compat/svr4/svr4_sockio.c
@@ -73,6 +73,8 @@ bsd_to_svr4_flags(bf)
 	return sf;
 }
 
+#define	OSIOCGIFCONF	_IOWR('i', 20, struct ifconf)
+
 int
 svr4_sock_ioctl(fp, td, retval, fd, cmd, data)
 	struct file *fp;
@@ -144,7 +146,6 @@ svr4_sock_ioctl(fp, td, retval, fd, cmd, data)
 	case SVR4_SIOCGIFCONF:
 		{
 			struct svr4_ifconf sc;
-			struct ifconf *ifc;
 
 			if ((error = copyin(data, &sc, sizeof(sc))) != 0)
 				return error;
@@ -153,19 +154,9 @@ svr4_sock_ioctl(fp, td, retval, fd, cmd, data)
 				sizeof(struct ifreq), sizeof(struct svr4_ifreq),
 				sc.svr4_ifc_len));
 
-			ifc = (struct ifconf *)&sc;
-			ifc->ifc_req->ifr_addr.sa_family =
-			    sc.svr4_ifc_req->svr4_ifr_addr.sa_family;
-			ifc->ifc_req->ifr_addr.sa_len =
-			    sizeof(struct osockaddr);
-
-			error = fo_ioctl(fp, SIOCGIFCONF, &sc, td->td_ucred,
-			    td);
-
-			sc.svr4_ifc_req->svr4_ifr_addr.sa_family =
-			    ifc->ifc_req->ifr_addr.sa_family;
-
-			if (error != 0)
+			if ((error = fo_ioctl(fp, OSIOCGIFCONF,
+					    (caddr_t) &sc, td->td_ucred,
+					    td)) != 0)
 				return error;
 
 			DPRINTF(("SIOCGIFCONF\n"));
diff --git a/sys/net/if.c b/sys/net/if.c
index 0fd66c9371e..f0b11b33276 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -2699,6 +2699,9 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td)
 	return (error);
 }
 
+/* COMPAT_SVR4 */
+#define	OSIOCGIFCONF	_IOWR('i', 20, struct ifconf)
+
 #ifdef COMPAT_FREEBSD32
 struct ifconf32 {
 	int32_t	ifc_len;
@@ -2738,6 +2741,7 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct thread *td)
 
 	switch (cmd) {
 	case SIOCGIFCONF:
+	case OSIOCGIFCONF:	/* COMPAT_SVR4 */
 		error = ifconf(cmd, data);
 		CURVNET_RESTORE();
 		return (error);
@@ -3009,6 +3013,15 @@ again:
 			if (prison_if(curthread->td_ucred, sa) != 0)
 				continue;
 			addrs++;
+			/* COMPAT_SVR4 */
+			if (cmd == OSIOCGIFCONF) {
+				struct osockaddr *osa =
+				    (struct osockaddr *)&ifr.ifr_addr;
+				ifr.ifr_addr = *sa;
+				osa->sa_family = sa->sa_family;
+				sbuf_bcat(sb, &ifr, sizeof(ifr));
+				max_len += sizeof(ifr);
+			} else
 			if (sa->sa_len <= sizeof(*sa)) {
 				ifr.ifr_addr = *sa;
 				sbuf_bcat(sb, &ifr, sizeof(ifr));