Re: CVS commit: src/sys

On Tue, May 29, 2007 at 09:32:31PM +0000, Christos Zoulas
wrote:
> 
> Module Name:	src
> Committed By:	christos
> Date:		Tue May 29 21:32:31 UTC 2007
> 
> Modified Files:
> 	src/sys/compat/common: Makefile uipc_syscalls_43.c
> 	src/sys/compat/freebsd: freebsd_ioctl.c
freebsd_ioctl.h
> 	src/sys/compat/ibcs2: ibcs2_socksys.h
> 	src/sys/compat/linux/common: linux_socket.c
> 	src/sys/compat/sunos: sunos_ioctl.c
> 	src/sys/compat/sunos32: sunos32_ioctl.c
> 	src/sys/compat/svr4: svr4_sockio.c
> 	src/sys/compat/svr4_32: svr4_32_sockio.c
> 	src/sys/compat/sys: socket.h
> 	src/sys/compat/ultrix: ultrix_ioctl.c
> 	src/sys/conf: files
> 	src/sys/net: bpf.c if.c if.h if_etherip.c
if_ethersubr.c if_gre.c
> 	    if_media.c if_tap.c
> 	src/sys/net80211: ieee80211_ioctl.c
> 	src/sys/sys: ioccom.h sockio.h
> Added Files:
> 	src/sys/compat/common: uipc_syscalls_40.c
> 	src/sys/compat/sys: sockio.h
> 
> Log Message:
> Add a sockaddr_storage member to "struct
ifreq" maintaining backwards
> compatibility with the older ioctls. This avoids stack
smashing and
> abuse of "struct sockaddr" when ioctls placed
"struct sockaddr_foo's" that
> were longer than "struct sockaddr".
> XXX: Some of the emulations might be broken; I tried to
add code for
> them but I did not test them.

This seems like an awful lot of #ifdef'age to achieve very
limited
protection against stack smashing.  Suppose the kernel
copies to ifreq
a sockaddr whose sa_len > sizeof(struct sockaddr_storage)
?

Dave

-- 
David Young             OJC Technologies
dyoungojctech.com      Urbana, IL * (217) 278-3933 ext 24

On Tue, May 29, 2007 at 05:20:33PM -0500, David Young
wrote:
> On Tue, May 29, 2007 at 09:32:31PM +0000, Christos
Zoulas wrote:
> > 
> > Module Name:	src
> > Committed By:	christos
> > Date:		Tue May 29 21:32:31 UTC 2007
> > 
> > Modified Files:
> > 	src/sys/net: bpf.c if.c if.h if_etherip.c
if_ethersubr.c if_gre.c
> > 	    if_media.c if_tap.c

I believe such a change should have been sent to
tech-net for review
before it was committed.

It looks like you have made unrelated changes to
if_ethersubr.c 
and if_tap.c, which you have not described in the commit
message.

You repeat this code all over:

+#if defined(COMPAT_09) || defined(COMPAT_10) ||
defined(COMPAT_11) || 
+    defined(COMPAT_12) || defined(COMPAT_13) ||
defined(COMPAT_14) || 
+    defined(COMPAT_15) || defined(COMPAT_16) ||
defined(COMPAT_20) || 
+    defined(COMPAT_30) || defined(COMPAT_40)
+#include <compat/sys/sockio.h>
+#endif

Please, move the #ifdef inside of compat/sys/sockio.h, or at
least
encapsulate the condition in a #define.  People have to read
this code.

Finally, gre(4) has grown this wart---no, thank you:

Index: src/sys/net/if_gre.c
diff -u src/sys/net/if_gre.c:1.93 src/sys/net/if_gre.c:1.94
--- src/sys/net/if_gre.c:1.93	Sun May  6 02:47:52 2007
+++ src/sys/net/if_gre.c	Tue May 29 21:32:30 2007
 -894,13
+902,26 
 	struct sockaddr_in dst, src;
 	struct proc *p = curproc;	/* XXX */
 	struct lwp *l = curlwp;	/* XXX */
-	struct ifreq *ifr = (struct ifreq *)data;
+	struct ifreq *ifr;
 	struct if_laddrreq *lifr = (struct if_laddrreq *)data;
 	struct gre_softc *sc = ifp->if_softc;
 	struct sockaddr_in si;
 	struct sockaddr *sa = NULL;
 	int error = 0;
-
+	u_long ocmd = cmd;
+#ifdef COMPAT_OIFREQ
+	struct oifreq *oifr;
+	struct ifreq ifrb;
+
+	cmd = cvtcmd(cmd);
+	if (cmd != ocmd) {
+		oifr = data;
+		data = ifr = &ifrb;
+		ifreqo2n(oifr, ifr);
+	} else
+#endif
+		ifr = data;
+	
 	switch (cmd) {
 	case SIOCSIFFLAGS:
 	case SIOCSIFMTU:
 -1156,6
+1177,10 
 		error = EINVAL;
 		break;
 	}
+#ifdef COMPAT_OIFREQ
+	if (cmd != ocmd)
+		ifreqn2o(oifr, ifr);
+#endif
 	mutex_exit(&sc->sc_mtx);
 	return error;
 }

Dave

-- 
David Young             OJC Technologies
dyoungojctech.com      Urbana, IL * (217) 278-3933 ext 24

> [...].  Suppose the kernel copies to ifreq a sockaddr
whose sa_len >
> sizeof(struct sockaddr_storage) ?

...which is nto all that implausible; AF_LOCAL sockets can
have more or
less unlimited sun_len - well, they should be able to; our
implementation limits them to 255 (because it's stored in
char), which
I consider a bug.  But 255 > sizeof(struct
sockaddr_storage)....

/~ The ASCII				der Mouse
 / Ribbon Campaign
 X  Against HTML	       mouserodents.montreal.qc.ca
/  Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3
27 4B

On Tue, May 29, 2007 at 05:20:33PM -0500, David Young
wrote:
> On Tue, May 29, 2007 at 09:32:31PM +0000, Christos
Zoulas wrote:
> > 
> > Module Name:	src
> > Committed By:	christos
> > Date:		Tue May 29 21:32:31 UTC 2007
> > 
> > Modified Files:
> > 	src/sys/compat/common: Makefile
uipc_syscalls_43.c
> > 	src/sys/compat/freebsd: freebsd_ioctl.c
freebsd_ioctl.h
> > 	src/sys/compat/ibcs2: ibcs2_socksys.h
> > 	src/sys/compat/linux/common: linux_socket.c
> > 	src/sys/compat/sunos: sunos_ioctl.c
> > 	src/sys/compat/sunos32: sunos32_ioctl.c
> > 	src/sys/compat/svr4: svr4_sockio.c
> > 	src/sys/compat/svr4_32: svr4_32_sockio.c
> > 	src/sys/compat/sys: socket.h
> > 	src/sys/compat/ultrix: ultrix_ioctl.c
> > 	src/sys/conf: files
> > 	src/sys/net: bpf.c if.c if.h if_etherip.c
if_ethersubr.c if_gre.c
> > 	    if_media.c if_tap.c
> > 	src/sys/net80211: ieee80211_ioctl.c
> > 	src/sys/sys: ioccom.h sockio.h
> > Added Files:
> > 	src/sys/compat/common: uipc_syscalls_40.c
> > 	src/sys/compat/sys: sockio.h
> > 
> > Log Message:
> > Add a sockaddr_storage member to "struct
ifreq" maintaining backwards
> > compatibility with the older ioctls. This avoids
stack smashing and
> > abuse of "struct sockaddr" when ioctls
placed "struct sockaddr_foo's" that
> > were longer than "struct sockaddr".
> > XXX: Some of the emulations might be broken; I
tried to add code for
> > them but I did not test them.
> 
> This seems like an awful lot of #ifdef'age to achieve
very limited
> protection against stack smashing.  Suppose the kernel
copies to ifreq
> a sockaddr whose sa_len > sizeof(struct
sockaddr_storage) ?

Stack smashing is only a side effect of the issue of having
a sockaddr
in ifreq when it's meant to hold a larger, AF-dependent,
structure.

As for the length, sockaddr_storage now essentially works as
the maximum
size a sockaddr object is allowed to be.

-- 
Quentin Garnier - cubecubidou.net - cubeNetBSD.org
"You could have made it, spitting out benchmarks
Owe it to yourself not to fail"
Amplifico, Spitting Out Benchmarks, Hometakes Vol. 2,
2005.