Don't overflow the kernel struct mdio in the MDIOCLIST ioctl.
ClosedPublic

Authored by brooks on Mar 13 2018, 7:58 PM.

Details

Summary

Always terminate the list with -1 and document the ioctl behavior.
This preserves existing behavior as seen from userspace with the
addition of the unconditional termination which will not be seen by
working consumers of MDIOCLIST.

Because this ioctl can only be performed by root (in default
configurations) and is not used in the base system this bug is not
deemed to warrant either a security advisory or an eratta notice.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.
brooks created this revision.Mar 13 2018, 7:58 PM
kib accepted this revision.Mar 13 2018, 8:25 PM

So the overflow can happen if the number of md's is greater than MONPAD, right ?

I would appreciate if the comment for md_pad in mdioctl.h was updated.

This revision is now accepted and ready to land.Mar 13 2018, 8:25 PM

> MDNPAD - 1 (one slot lost to the count). I'll commit an update to md_pad's comment separately (I almost submitted it with this one, but it's only somewhat related).

This revision was automatically updated to reflect the committed changes.