Page MenuHomeFreeBSD

Don't overflow the kernel struct mdio in the MDIOCLIST ioctl.

Authored by brooks on Mar 13 2018, 7:58 PM.



Always terminate the list with -1 and document the ioctl behavior.
This preserves existing behavior as seen from userspace with the
addition of the unconditional termination which will not be seen by
working consumers of MDIOCLIST.

Because this ioctl can only be performed by root (in default
configurations) and is not used in the base system this bug is not
deemed to warrant either a security advisory or an eratta notice.

Diff Detail

rS FreeBSD src repository
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

brooks created this revision.Mar 13 2018, 7:58 PM
kib accepted this revision.Mar 13 2018, 8:25 PM

So the overflow can happen if the number of md's is greater than MONPAD, right ?

I would appreciate if the comment for md_pad in mdioctl.h was updated.

This revision is now accepted and ready to land.Mar 13 2018, 8:25 PM

> MDNPAD - 1 (one slot lost to the count). I'll commit an update to md_pad's comment separately (I almost submitted it with this one, but it's only somewhat related).

This revision was automatically updated to reflect the committed changes.