diff options
author | Kristof Provost <kp@FreeBSD.org> | 2020-01-28 22:44:24 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2020-01-28 22:44:24 +0000 |
commit | b02fd8b79028c01715e168a25d0fd86ff09b9ce3 (patch) | |
tree | a3f9e28cc4cbb62a5f1c865afee56af7e6a99043 /sys/net/if_clone.c | |
parent | 1232c361394bdde30022a434d0e801fdbca0f4fb (diff) | |
download | src-b02fd8b79028c01715e168a25d0fd86ff09b9ce3.tar.gz src-b02fd8b79028c01715e168a25d0fd86ff09b9ce3.zip |
epair: Do not abuse params to register the second interface
if_epair used the 'params' argument to pass a pointer to the b interface
through if_clone_create().
This pointer can be controlled by userspace, which means it could be abused to
trigger a panic. While this requires PRIV_NET_IFCREATE
privileges those are assigned to vnet jails, which means that vnet jails
could panic the system.
Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after: 3 days
Notes
Notes:
svn path=/head/; revision=357233
Diffstat (limited to 'sys/net/if_clone.c')
-rw-r--r-- | sys/net/if_clone.c | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/sys/net/if_clone.c b/sys/net/if_clone.c index 6207ff0c037e..acc392ead16a 100644 --- a/sys/net/if_clone.c +++ b/sys/net/if_clone.c @@ -211,6 +211,18 @@ if_clone_create(char *name, size_t len, caddr_t params) return (if_clone_createif(ifc, name, len, params)); } +void +if_clone_addif(struct if_clone *ifc, struct ifnet *ifp) +{ + + if ((ifc->ifc_flags & IFC_NOGROUP) == 0) + if_addgroup(ifp, ifc->ifc_name); + + IF_CLONE_LOCK(ifc); + IFC_IFLIST_INSERT(ifc, ifp); + IF_CLONE_UNLOCK(ifc); +} + /* * Create a clone network interface. */ @@ -233,12 +245,7 @@ if_clone_createif(struct if_clone *ifc, char *name, size_t len, caddr_t params) if (ifp == NULL) panic("%s: lookup failed for %s", __func__, name); - if ((ifc->ifc_flags & IFC_NOGROUP) == 0) - if_addgroup(ifp, ifc->ifc_name); - - IF_CLONE_LOCK(ifc); - IFC_IFLIST_INSERT(ifc, ifp); - IF_CLONE_UNLOCK(ifc); + if_clone_addif(ifc, ifp); } return (err); |