From bfd27e78b259eedbd4c30548e80c9b4d789d26e1 Mon Sep 17 00:00:00 2001 From: YOUR_NAME Date: Wed, 23 Jun 2021 15:24:50 +0800 Subject: [PATCH] fix: SIOCGIFCONF ioctl malloc size error in kernel use struct ifconf and ifc_buf size malloc memory close: #I3XEZ3 Signed-off-by: liujiandong --- net/lwip-2.1/porting/src/sockets.c | 48 +++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/net/lwip-2.1/porting/src/sockets.c b/net/lwip-2.1/porting/src/sockets.c index 95cfa0bf..a3944009 100644 --- a/net/lwip-2.1/porting/src/sockets.c +++ b/net/lwip-2.1/porting/src/sockets.c @@ -1468,6 +1468,51 @@ static err_t lwip_do_ioctl_impl(struct tcpip_api_call_data *call) #include "los_vm_map.h" #include "user_copy.h" +static int do_ioctl_SIOCGIFCONF(int sockfd, long cmd, void *argp) +{ + int nbytes; + struct ifconf ifc; + char *buf_bak = NULL; + int ret; + + if (LOS_ArchCopyFromUser(&ifc, argp, sizeof(struct ifconf)) != 0) { + set_errno(EFAULT); + return -1; + } + nbytes = ifc.ifc_len; + if (nbytes < 0) { + set_errno(EINVAL); + return -1; + } + buf_bak = ifc.ifc_buf; + if (!LOS_IsUserAddress((VADDR_T)(uintptr_t)buf_bak)) { + set_errno(EFAULT); + return -1; + } + ifc.ifc_buf = malloc(nbytes); + if (ifc.ifc_buf == NULL) { + set_errno(ENOMEM); + return -1; + } + (void)memset_s(ifc.ifc_buf, nbytes, 0, nbytes); + + ret = lwip_ioctl(sockfd, cmd, &ifc); + if (ret == 0) { + if (LOS_ArchCopyToUser(buf_bak, ifc.ifc_buf, nbytes) != 0) { + set_errno(EFAULT); + ret = -1; + } + } + + free(ifc.ifc_buf); + ifc.ifc_buf = buf_bak; + if (LOS_ArchCopyToUser(argp, &ifc, sizeof(struct ifconf)) != 0) { + set_errno(EFAULT); + ret = -1; + } + return ret; +} + int socks_ioctl(int sockfd, long cmd, void *argp) { void *argpbak = argp; @@ -1483,11 +1528,12 @@ int socks_ioctl(int sockfd, long cmd, void *argp) case SIOCADDRT: nbytes = sizeof(struct rtentry); break; + case SIOCGIFCONF: + return do_ioctl_SIOCGIFCONF(sockfd, cmd, argp); case SIOCSIPV6DAD: case SIOCGIPV6DAD: case SIOCSIPV6DPCTD: case SIOCGIPV6DPCTD: - case SIOCGIFCONF: case SIOCGIFADDR: case SIOCSIFADDR: case SIOCDIFADDR: