In userland_sysctl(), call useracc() with the actual newlen value to be

used, rather than the one passed via 'req', which may not reflect a rewrite. This call to useracc() is redundant to validation performed by later copyin()/copyout() calls, so there isn't a security issue here, but this could technically lead to excessive validation of addresses if the length in newlen is shorter than req.newlen. Approved by: re (kensmith) Reviewed by: jhb Submitted by: Constantine A. Murenin <cnst+freebsd@bugmail.mojo.ru> Sponsored by: Google Summer of Code 2007
svn path=/head/; revision=172038
2024-12-17 10:26:15 +00:00 · 2007-09-02 09:59:33 +00:00 · 2007-09-02 09:59:33 +00:00 · 70ffc2fb53 · 2020-12-20 02:59:44 +00:00
commit 70ffc2fb53
parent 514b2bf1f6
1 changed files with 1 additions and 1 deletions
--- a/sys/kern/kern_sysctl.c
+++ b/sys/kern/kern_sysctl.c
@ -1383,7 +1383,7 @@ userland_sysctl(struct thread *td, int *name, u_int namelen, void *old,
 	}

 	if (new != NULL) {
-		if (!useracc(new, req.newlen, VM_PROT_READ))
+		if (!useracc(new, newlen, VM_PROT_READ))
 			return (EFAULT);
 		req.newlen = newlen;
 		req.newptr = new;