OS-5892 drv_ioc_prop_common could leak memory and holdsrelease-20170216

Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com> Approved by: Jerry Jelinek <jerry.jelinek@joyent.com>
author: Ryan Zezeski <rpz@joyent.com> 2017-02-14 15:49:24 -0700
committer: Ryan Zezeski <rpz@joyent.com> 2017-02-15 18:03:05 -0700
commit: 32a07cd9736cfe9dfd28b66798ea439199da43c2 (patch)
tree: 0f2d6a887955195385199cb9600e2978f8067f29
parent: 0a0eca7a43c8775a61b7d43f9d878e98de0173fe (diff)
download: illumos-joyent-release-20170216.tar.gz
1 files changed, 12 insertions, 2 deletions
diff --git a/usr/src/uts/common/io/dld/dld_drv.c b/usr/src/uts/common/io/dld/dld_drv.c
index b89b623a39..e65e8d8161 100644
--- a/usr/src/uts/common/io/dld/dld_drv.c
+++ b/usr/src/uts/common/io/dld/dld_drv.c
@@ -708,8 +708,18 @@ drv_ioc_prop_common(dld_ioc_macprop_t *prop, intptr_t arg, boolean_t set,
 			else
 				err = drv_ioc_clrap(linkid);
 		} else {
-			if (kprop->pr_valsize == 0)
-				return (ENOBUFS);
+			/*
+			 * You might think that the earlier call to
+			 * mac_prop_check_size() should catch this but
+			 * it can't. The autopush prop uses 0 as a
+			 * sentinel value to clear the prop. This
+			 * check ensures we don't allow a get with a
+			 * valsize of 0.
+			 */
+			if (kprop->pr_valsize == 0) {
+				err = ENOBUFS;
+				goto done;
+			}
 
 			kprop->pr_perm_flags = MAC_PROP_PERM_RW;
 			err = drv_ioc_getap(linkid, dlap);
author	Ryan Zezeski <rpz@joyent.com>	2017-02-14 15:49:24 -0700
committer	Ryan Zezeski <rpz@joyent.com>	2017-02-15 18:03:05 -0700
commit	32a07cd9736cfe9dfd28b66798ea439199da43c2 (patch)
tree	0f2d6a887955195385199cb9600e2978f8067f29
parent	0a0eca7a43c8775a61b7d43f9d878e98de0173fe (diff)
download	illumos-joyent-release-20170216.tar.gz