From 32a07cd9736cfe9dfd28b66798ea439199da43c2 Mon Sep 17 00:00:00 2001
From: Ryan Zezeski <rpz@joyent.com>
Date: Tue, 14 Feb 2017 15:49:24 -0700
Subject: OS-5892 drv_ioc_prop_common could leak memory and holds Reviewed by:
 Jerry Jelinek <jerry.jelinek@joyent.com> Approved by: Jerry Jelinek
 <jerry.jelinek@joyent.com>

---
 usr/src/uts/common/io/dld/dld_drv.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/usr/src/uts/common/io/dld/dld_drv.c b/usr/src/uts/common/io/dld/dld_drv.c
index b89b623a39..e65e8d8161 100644
--- a/usr/src/uts/common/io/dld/dld_drv.c
+++ b/usr/src/uts/common/io/dld/dld_drv.c
@@ -708,8 +708,18 @@ drv_ioc_prop_common(dld_ioc_macprop_t *prop, intptr_t arg, boolean_t set,
 			else
 				err = drv_ioc_clrap(linkid);
 		} else {
-			if (kprop->pr_valsize == 0)
-				return (ENOBUFS);
+			/*
+			 * You might think that the earlier call to
+			 * mac_prop_check_size() should catch this but
+			 * it can't. The autopush prop uses 0 as a
+			 * sentinel value to clear the prop. This
+			 * check ensures we don't allow a get with a
+			 * valsize of 0.
+			 */
+			if (kprop->pr_valsize == 0) {
+				err = ENOBUFS;
+				goto done;
+			}
 
 			kprop->pr_perm_flags = MAC_PROP_PERM_RW;
 			err = drv_ioc_getap(linkid, dlap);
-- 
cgit v1.2.3