diff options
author | delphij <delphij@FreeBSD.org> | 2005-02-12 17:51:12 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2005-02-12 17:51:12 +0000 |
commit | 2511132c4e7c2d7765d059b8c68ebe75e7f7c660 (patch) | |
tree | d094a0ae2e92dd674d70361a73a2277c0db20dc0 /sys/net | |
parent | f634be7a95eeb69c8ade4746fcb55a6725acd7bb (diff) | |
download | FreeBSD-src-2511132c4e7c2d7765d059b8c68ebe75e7f7c660.zip FreeBSD-src-2511132c4e7c2d7765d059b8c68ebe75e7f7c660.tar.gz |
Validate ifc->ifc_len before submitting its incarnation to sbuf_new,
which will finally lead to kernel panic.
Security: This prevents a local (root-launched) DoS
Submitted by: Wojciech A. Koszek [dunstan at freebsd czest pl]
PR: 77421
MFC After: 1 week
Diffstat (limited to 'sys/net')
-rw-r--r-- | sys/net/if.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/net/if.c b/sys/net/if.c index 3bd3610..b6505df 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -1544,6 +1544,10 @@ ifconf(u_long cmd, caddr_t data) /* Limit initial buffer size to MAXPHYS to avoid DoS from userspace. */ max_len = MAXPHYS - 1; + /* Prevent hostile input from being able to crash the system */ + if (ifc->ifc_len <= 0) + return (EINVAL); + again: if (ifc->ifc_len <= max_len) { max_len = ifc->ifc_len; |