Don't overflow the kernel struct mdio in the MDIOCLIST ioctl.
ClosedPublic
Actions

Authored by brooks on Mar 13 2018, 7:58 PM.

Details

Reviewers

markj
stevek
kib

Commits

rS331008: Restore the behavior of returning the total number of units by
rS330880: Don't overflow the kernel struct mdio in the MDIOCLIST ioctl.

Summary

Always terminate the list with -1 and document the ioctl behavior.
This preserves existing behavior as seen from userspace with the
addition of the unconditional termination which will not be seen by
working consumers of MDIOCLIST.

Because this ioctl can only be performed by root (in default
configurations) and is not used in the base system this bug is not
deemed to warrant either a security advisory or an eratta notice.

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

brooks created this revision.Mar 13 2018, 7:58 PM

Harbormaster completed remote builds in B15551: Diff 40262.Mar 13 2018, 7:58 PM

So the overflow can happen if the number of md's is greater than MONPAD, right ?

I would appreciate if the comment for md_pad in mdioctl.h was updated.

This revision is now accepted and ready to land.Mar 13 2018, 8:25 PM

> MDNPAD - 1 (one slot lost to the count). I'll commit an update to md_pad's comment separately (I almost submitted it with this one, but it's only somewhat related).

Closed by commit rS330880: Don't overflow the kernel struct mdio in the MDIOCLIST ioctl. (authored by brooks). · Explain WhyMar 13 2018, 8:39 PM

This revision was automatically updated to reflect the committed changes.

Herald added a subscriber: imp. · View Herald TranscriptMar 13 2018, 8:39 PM