diff options
| author | Klemens Nanni <kn@cvs.openbsd.org> | 2023-04-24 12:11:57 +0000 |
|---|---|---|
| committer | Klemens Nanni <kn@cvs.openbsd.org> | 2023-04-24 12:11:57 +0000 |
| commit | a5b8b2a7e2cbcb6d7757417ea1f87e8be555eba6 (patch) | |
| tree | be8fc794f19f3e7659d0696e10febd42cb98d96a /sys/netinet | |
| parent | 1bfea8d3fec28770a9e97e652e10f491fbc6e079 (diff) | |
Hoist privilege checks further
in6.c already has the privilege check as early as possible, make in.c match.
For unprivileged IPv4 ioctl calls with invalid args, this changes errno from
E* to EPERM.
OK bluhm
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/in.c | 34 |
1 files changed, 14 insertions, 20 deletions
diff --git a/sys/netinet/in.c b/sys/netinet/in.c index 0d36710a5a3..624c67db34f 100644 --- a/sys/netinet/in.c +++ b/sys/netinet/in.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in.c,v 1.183 2023/04/21 00:41:13 kn Exp $ */ +/* $OpenBSD: in.c,v 1.184 2023/04/24 12:11:56 kn Exp $ */ /* $NetBSD: in.c,v 1.26 1996/02/13 23:41:39 christos Exp $ */ /* @@ -84,8 +84,8 @@ void in_socktrim(struct sockaddr_in *); -int in_ioctl_set_ifaddr(u_long, caddr_t, struct ifnet *, int); -int in_ioctl_change_ifaddr(u_long, caddr_t, struct ifnet *, int); +int in_ioctl_set_ifaddr(u_long, caddr_t, struct ifnet *); +int in_ioctl_change_ifaddr(u_long, caddr_t, struct ifnet *); int in_ioctl_get(u_long, caddr_t, struct ifnet *); void in_purgeaddr(struct ifaddr *); int in_addhost(struct in_ifaddr *, struct sockaddr_in *); @@ -235,10 +235,14 @@ in_ioctl(u_long cmd, caddr_t data, struct ifnet *ifp, int privileged) case SIOCGIFBRDADDR: return in_ioctl_get(cmd, data, ifp); case SIOCSIFADDR: - return in_ioctl_set_ifaddr(cmd, data, ifp, privileged); + if (!privileged) + return (EPERM); + return in_ioctl_set_ifaddr(cmd, data, ifp); case SIOCAIFADDR: case SIOCDIFADDR: - return in_ioctl_change_ifaddr(cmd, data, ifp, privileged); + if (!privileged) + return (EPERM); + return in_ioctl_change_ifaddr(cmd, data, ifp); case SIOCSIFNETMASK: case SIOCSIFDSTADDR: case SIOCSIFBRDADDR: @@ -247,6 +251,9 @@ in_ioctl(u_long cmd, caddr_t data, struct ifnet *ifp, int privileged) return (EOPNOTSUPP); } + if (!privileged) + return (EPERM); + if (ifr->ifr_addr.sa_family == AF_INET) { error = in_sa2sin(&ifr->ifr_addr, &sin); if (error) @@ -275,11 +282,6 @@ in_ioctl(u_long cmd, caddr_t data, struct ifnet *ifp, int privileged) goto err; } - if (!privileged) { - error = EPERM; - goto err; - } - switch (cmd) { case SIOCSIFDSTADDR: if ((ifp->if_flags & IFF_POINTOPOINT) == 0) { @@ -335,8 +337,7 @@ err: } int -in_ioctl_set_ifaddr(u_long cmd, caddr_t data, struct ifnet *ifp, - int privileged) +in_ioctl_set_ifaddr(u_long cmd, caddr_t data, struct ifnet *ifp) { struct ifreq *ifr = (struct ifreq *)data; struct ifaddr *ifa; @@ -348,9 +349,6 @@ in_ioctl_set_ifaddr(u_long cmd, caddr_t data, struct ifnet *ifp, if (cmd != SIOCSIFADDR) panic("%s: invalid ioctl %lu", __func__, cmd); - if (!privileged) - return (EPERM); - error = in_sa2sin(&ifr->ifr_addr, &sin); if (error) return (error); @@ -395,8 +393,7 @@ in_ioctl_set_ifaddr(u_long cmd, caddr_t data, struct ifnet *ifp, } int -in_ioctl_change_ifaddr(u_long cmd, caddr_t data, struct ifnet *ifp, - int privileged) +in_ioctl_change_ifaddr(u_long cmd, caddr_t data, struct ifnet *ifp) { struct ifaddr *ifa; struct in_ifaddr *ia = NULL; @@ -412,9 +409,6 @@ in_ioctl_change_ifaddr(u_long cmd, caddr_t data, struct ifnet *ifp, return (error); } - if (!privileged) - return (EPERM); - KERNEL_LOCK(); NET_LOCK(); |