In userland_sysctl(), call useracc() with the actual newlen value to be

used, rather than the one passed via 'req', which may not reflect a rewrite. This call to useracc() is redundant to validation performed by later copyin()/copyout() calls, so there isn't a security issue here, but this could technically lead to excessive validation of addresses if the length in newlen is shorter than req.newlen. Approved by: re (kensmith) Reviewed by: jhb Submitted by: Constantine A. Murenin <cnst+freebsd@bugmail.mojo.ru> Sponsored by: Google Summer of Code 2007
author: rwatson <rwatson@FreeBSD.org> 2007-09-02 09:59:33 +0000
committer: rwatson <rwatson@FreeBSD.org> 2007-09-02 09:59:33 +0000
commit: 64e850e184767eda04e48493f3f3cdb82f9c56b5 (patch)
tree: d3c4775d017fc1ad44026cab31dc4480bbc9875e /sys/kern/kern_sysctl.c
parent: 3d2ad995c730949c9d7c5298fdc1047cc68b4c4e (diff)
download: FreeBSD-src-64e850e184767eda04e48493f3f3cdb82f9c56b5.zip
FreeBSD-src-64e850e184767eda04e48493f3f3cdb82f9c56b5.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c
index 893c54f..dc64f31 100644
--- a/sys/kern/kern_sysctl.c
+++ b/sys/kern/kern_sysctl.c
@@ -1383,7 +1383,7 @@ userland_sysctl(struct thread *td, int *name, u_int namelen, void *old,
 	}
 
 	if (new != NULL) {
-		if (!useracc(new, req.newlen, VM_PROT_READ))
+		if (!useracc(new, newlen, VM_PROT_READ))
 			return (EFAULT);
 		req.newlen = newlen;
 		req.newptr = new;
author	rwatson <rwatson@FreeBSD.org>	2007-09-02 09:59:33 +0000
committer	rwatson <rwatson@FreeBSD.org>	2007-09-02 09:59:33 +0000
commit	64e850e184767eda04e48493f3f3cdb82f9c56b5 (patch)
tree	d3c4775d017fc1ad44026cab31dc4480bbc9875e /sys/kern/kern_sysctl.c
parent	3d2ad995c730949c9d7c5298fdc1047cc68b4c4e (diff)
download	FreeBSD-src-64e850e184767eda04e48493f3f3cdb82f9c56b5.zip FreeBSD-src-64e850e184767eda04e48493f3f3cdb82f9c56b5.tar.gz