diff options
author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2019-11-13 21:25:05 +0000 |
---|---|---|
committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2019-11-13 21:25:05 +0000 |
commit | 99ad0ca768252fe3402e0691558b1c8a12e2ed1f (patch) | |
tree | 431d861c5706faf1c842fcea14ff0dcd6561cb70 | |
parent | de404fd50302df897c5b99700cc7116b3255df6c (diff) |
Non root user must not use ioctl(2) to mess around with the address
of a network interface.
OK deraadt@ claudio@
-rw-r--r-- | sys/net/if.c | 29 |
1 files changed, 24 insertions, 5 deletions
diff --git a/sys/net/if.c b/sys/net/if.c index c0c2657d9ab..6732e2a0596 100644 --- a/sys/net/if.c +++ b/sys/net/if.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if.c,v 1.597 2019/11/13 01:36:27 deraadt Exp $ */ +/* $OpenBSD: if.c,v 1.598 2019/11/13 21:25:04 bluhm Exp $ */ /* $NetBSD: if.c,v 1.35 1996/05/07 05:26:04 thorpej Exp $ */ /* @@ -2291,11 +2291,30 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct proc *p) error = ((*so->so_proto->pr_usrreq)(so, PRU_CONTROL, (struct mbuf *) cmd, (struct mbuf *) data, (struct mbuf *) ifp, p)); - if (error == EOPNOTSUPP) { - NET_LOCK(); - error = ((*ifp->if_ioctl)(ifp, cmd, data)); - NET_UNLOCK(); + if (error != EOPNOTSUPP) + break; + switch (cmd) { + case SIOCAIFADDR: + case SIOCDIFADDR: + case SIOCSIFADDR: + case SIOCSIFNETMASK: + case SIOCSIFDSTADDR: + case SIOCSIFBRDADDR: +#ifdef INET6 + case SIOCAIFADDR_IN6: + case SIOCDIFADDR_IN6: +#endif + error = suser(p); + break; + default: + error = 0; + break; } + if (error) + break; + NET_LOCK(); + error = ((*ifp->if_ioctl)(ifp, cmd, data)); + NET_UNLOCK(); break; } |