diff options
| author | Jamie Gritton <jamie@FreeBSD.org> | 2022-03-26 02:16:51 +0000 |
|---|---|---|
| committer | Jamie Gritton <jamie@FreeBSD.org> | 2022-03-28 23:39:54 +0000 |
| commit | c1576434e9cf9c48b4d3975717c9f6cc6427cfd9 (patch) | |
| tree | 07b3bacc0be007d86d5299778ebd60f4db6bc748 | |
| parent | 4cf0cc507f35714009cba62570b47bb01c1ba49e (diff) | |
| download | src-c1576434e9cf9c48b4d3975717c9f6cc6427cfd9.tar.gz src-c1576434e9cf9c48b4d3975717c9f6cc6427cfd9.zip | |
mfc jail: handle jailsys parameters in modification permission test
Avoid a null dereference when a value-less jailsys parameter is passed
to "jail -m". There was already code to handle boolean parameters,
but in reality any parameter could be passed without a value.
PR: 262471
Reported by: jcaplan at blackberry.com
(cherry picked from commit 8f1543785f77086494c73310ba8f5d09b61ff7eb)
| -rw-r--r-- | usr.sbin/jail/jail.c | 32 |
1 files changed, 22 insertions, 10 deletions
diff --git a/usr.sbin/jail/jail.c b/usr.sbin/jail/jail.c index eb3b19f2cb82..63096146f176 100644 --- a/usr.sbin/jail/jail.c +++ b/usr.sbin/jail/jail.c @@ -790,7 +790,9 @@ static int rdtun_params(struct cfjail *j, int dofail) { struct jailparam *jp, *rtparams, *rtjp; - int nrt, rval; + const void *jp_value; + size_t jp_valuelen; + int nrt, rval, bool_true; if (j->flags & JF_RDTUN) return 0; @@ -818,15 +820,25 @@ rdtun_params(struct cfjail *j, int dofail) rtjp = rtparams + 1; for (jp = j->jp; rtjp < rtparams + nrt; jp++) { if (JP_RDTUN(jp) && strcmp(jp->jp_name, "jid")) { - if (!((jp->jp_flags & (JP_BOOL | JP_NOBOOL)) && - jp->jp_valuelen == 0 && - *(int *)jp->jp_value) && - !(rtjp->jp_valuelen == jp->jp_valuelen && - !((jp->jp_ctltype & CTLTYPE) == - CTLTYPE_STRING ? strncmp(rtjp->jp_value, - jp->jp_value, jp->jp_valuelen) : - memcmp(rtjp->jp_value, jp->jp_value, - jp->jp_valuelen)))) { + jp_value = jp->jp_value; + jp_valuelen = jp->jp_valuelen; + if (jp_value == NULL && jp_valuelen > 0) { + if (jp->jp_flags & (JP_BOOL | + JP_NOBOOL | JP_JAILSYS)) { + bool_true = 1; + jp_value = &bool_true; + jp_valuelen = sizeof(bool_true); + } else if ((jp->jp_ctltype & CTLTYPE) == + CTLTYPE_STRING) + jp_value = ""; + else + jp_valuelen = 0; + } + if (rtjp->jp_valuelen != jp_valuelen || + (CTLTYPE_STRING ? strncmp(rtjp->jp_value, + jp_value, jp_valuelen) + : memcmp(rtjp->jp_value, jp_value, + jp_valuelen))) { if (dofail) { jail_warnx(j, "%s cannot be " "changed after creation", |