aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHans Petter Selasky <hselasky@FreeBSD.org>2017-12-08 15:37:36 +0000
committerHans Petter Selasky <hselasky@FreeBSD.org>2017-12-08 15:37:36 +0000
commit33d01214e8c2c98cc60866c319e9e1fae3c247b7 (patch)
tree936baaf101225588eed8860ce972ae4038d5d851
parentda49da4b7166e055d2c409f8677b3b5661985c46 (diff)
downloadsrc-33d01214e8c2c98cc60866c319e9e1fae3c247b7.tar.gz
src-33d01214e8c2c98cc60866c319e9e1fae3c247b7.zip
MFC r326362:
Disallow TUN and TAP character device IOCTLs to modify the network device type to any value. This can cause page faults and panics due to accessing uninitialized fields in the "struct ifnet" which are specific to the network device type. Found by: jau@iki.fi PR: 223767 Sponsored by: Mellanox Technologies
Notes
Notes: svn path=/stable/8/; revision=326694
-rw-r--r--share/man/man4/tap.411
-rw-r--r--share/man/man4/tun.411
-rw-r--r--sys/net/if_tap.c3
-rw-r--r--sys/net/if_tun.c3
4 files changed, 22 insertions, 6 deletions
diff --git a/share/man/man4/tap.4 b/share/man/man4/tap.4
index a306108af63b..9f796e1b23c1 100644
--- a/share/man/man4/tap.4
+++ b/share/man/man4/tap.4
@@ -1,7 +1,7 @@
.\" $FreeBSD$
.\" Based on PR#2411
.\"
-.Dd September 8, 2008
+.Dd November 29, 2017
.Dt TAP 4
.Os
.Sh NAME
@@ -164,7 +164,14 @@ calls are supported
.In net/if_tap.h ) :
.Bl -tag -width VMIO_SIOCSETMACADDR
.It Dv TAPSIFINFO
-Set network interface information (line speed, MTU and type).
+Set network interface information (line speed and MTU).
+The type must be the same as returned by
+.Dv TAPGIFINFO
+or set to
+.Dv IFT_ETHER
+else the
+.Xr ioctl 2
+call will fail.
The argument should be a pointer to a
.Va struct tapinfo .
.It Dv TAPGIFINFO
diff --git a/share/man/man4/tun.4 b/share/man/man4/tun.4
index b5139a7cdf0d..dd6f2df52933 100644
--- a/share/man/man4/tun.4
+++ b/share/man/man4/tun.4
@@ -2,7 +2,7 @@
.\" $FreeBSD$
.\" Based on PR#2411
.\"
-.Dd February 4, 2007
+.Dd November 29, 2017
.Dt TUN 4
.Os
.Sh NAME
@@ -197,8 +197,15 @@ this stores the internal debugging variable's value into it.
.It Dv TUNSIFINFO
The argument should be a pointer to an
.Vt struct tuninfo
-and allows setting the MTU, the type, and the baudrate of the tunnel
+and allows setting the MTU and the baudrate of the tunnel
device.
+The type must be the same as returned by
+.Dv TUNGIFINFO
+or set to
+.Dv IFT_PPP
+else the
+.Xr ioctl 2
+call will fail.
The
.Vt struct tuninfo
is declared in
diff --git a/sys/net/if_tap.c b/sys/net/if_tap.c
index 89e19af3831d..37de98bc1162 100644
--- a/sys/net/if_tap.c
+++ b/sys/net/if_tap.c
@@ -717,9 +717,10 @@ tapioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag, struct thread *td
switch (cmd) {
case TAPSIFINFO:
tapp = (struct tapinfo *)data;
+ if (ifp->if_type != tapp->type)
+ return (EPROTOTYPE);
mtx_lock(&tp->tap_mtx);
ifp->if_mtu = tapp->mtu;
- ifp->if_type = tapp->type;
ifp->if_baudrate = tapp->baudrate;
mtx_unlock(&tp->tap_mtx);
break;
diff --git a/sys/net/if_tun.c b/sys/net/if_tun.c
index 4492e049406c..eefea254ae89 100644
--- a/sys/net/if_tun.c
+++ b/sys/net/if_tun.c
@@ -685,9 +685,10 @@ tunioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag,
if (error)
return (error);
}
+ if (TUN2IFP(tp)->if_type != tunp->type)
+ return (EPROTOTYPE);
mtx_lock(&tp->tun_mtx);
TUN2IFP(tp)->if_mtu = tunp->mtu;
- TUN2IFP(tp)->if_type = tunp->type;
TUN2IFP(tp)->if_baudrate = tunp->baudrate;
mtx_unlock(&tp->tun_mtx);
break;