12905 drv_ioc_prop_common could leak memory and holds

Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com> Reviewed by: Igor Kozhukhov <igor@dilos.org> Reviewed by: Paul Winder <paul@winders.demon.co.uk> Reviewed by: Toomas Soome <tsoome@me.com> Approved by: Robert Mustacchi <rm@fingolfin.org>
author: Ryan Zezeski <rpz@joyent.com> 2020-06-28 08:01:52 -0600
committer: Robert Mustacchi <rm@fingolfin.org> 2020-07-01 18:41:41 -0700
commit: daa7e8a345b2e0424e612017e8ead2e97b0f7f37 (patch)
tree: be81d2ca39782d86b954e8c35280044e117d222b /usr/src
parent: 4ebabf216cc42b93907be4a8b051040e2e9a3597 (diff)
download: illumos-joyent-daa7e8a345b2e0424e612017e8ead2e97b0f7f37.tar.gz
1 files changed, 12 insertions, 2 deletions
diff --git a/usr/src/uts/common/io/dld/dld_drv.c b/usr/src/uts/common/io/dld/dld_drv.c
index cfe0f78415..eca17349c3 100644
--- a/usr/src/uts/common/io/dld/dld_drv.c
+++ b/usr/src/uts/common/io/dld/dld_drv.c
@@ -717,8 +717,18 @@ drv_ioc_prop_common(dld_ioc_macprop_t *prop, intptr_t arg, boolean_t set,
 			else
 				err = drv_ioc_clrap(linkid);
 		} else {
-			if (kprop->pr_valsize == 0)
-				return (ENOBUFS);
+			/*
+			 * You might think that the earlier call to
+			 * mac_prop_check_size() should catch this but
+			 * it can't. The autopush prop uses 0 as a
+			 * sentinel value to clear the prop. This
+			 * check ensures we don't allow a get with a
+			 * valsize of 0.
+			 */
+			if (kprop->pr_valsize == 0) {
+				err = ENOBUFS;
+				goto done;
+			}
 
 			kprop->pr_perm_flags = MAC_PROP_PERM_RW;
 			err = drv_ioc_getap(linkid, dlap);
author	Ryan Zezeski <rpz@joyent.com>	2020-06-28 08:01:52 -0600
committer	Robert Mustacchi <rm@fingolfin.org>	2020-07-01 18:41:41 -0700
commit	daa7e8a345b2e0424e612017e8ead2e97b0f7f37 (patch)
tree	be81d2ca39782d86b954e8c35280044e117d222b /usr/src
parent	4ebabf216cc42b93907be4a8b051040e2e9a3597 (diff)
download	illumos-joyent-daa7e8a345b2e0424e612017e8ead2e97b0f7f37.tar.gz