epair: Do not abuse params to register the second interface

if_epair used the 'params' argument to pass a pointer to the b interface
through if_clone_create().
This pointer can be controlled by userspace, which means it could be abused to
trigger a panic. While this requires PRIV_NET_IFCREATE
privileges those are assigned to vnet jails, which means that vnet jails
could panic the system.

Reported by:	Ilja Van Sprundel <ivansprundel@ioactive.com>
MFC after:	3 days

1 files changed, 13 insertions, 6 deletions

diff --git a/sys/net/if_clone.c b/sys/net/if_clone.c
index 6207ff0c037e..acc392ead16a 100644
--- a/sys/net/if_clone.c
+++ b/sys/net/if_clone.c
@@ -211,6 +211,18 @@ if_clone_create(char *name, size_t len, caddr_t params)
 	return (if_clone_createif(ifc, name, len, params));
 }
 
+void
+if_clone_addif(struct if_clone *ifc, struct ifnet *ifp)
+{
+
+	if ((ifc->ifc_flags & IFC_NOGROUP) == 0)
+		if_addgroup(ifp, ifc->ifc_name);
+
+	IF_CLONE_LOCK(ifc);
+	IFC_IFLIST_INSERT(ifc, ifp);
+	IF_CLONE_UNLOCK(ifc);
+}
+
 /*
  * Create a clone network interface.
  */
@@ -233,12 +245,7 @@ if_clone_createif(struct if_clone *ifc, char *name, size_t len, caddr_t params)
 		if (ifp == NULL)
 			panic("%s: lookup failed for %s", __func__, name);
 
-		if ((ifc->ifc_flags & IFC_NOGROUP) == 0)
-			if_addgroup(ifp, ifc->ifc_name);
-
-		IF_CLONE_LOCK(ifc);
-		IFC_IFLIST_INSERT(ifc, ifp);
-		IF_CLONE_UNLOCK(ifc);
+		if_clone_addif(ifc, ifp);
 	}
 
 	return (err);