Unbreak ppp(8) over tun(4) by restriciting the flags that can be changed

via TUNSIFINFO. ppp(8) was happily clearing the RUNNING flag and so all
incomming packets where dropped. Issue reported by irix <at> ukr <dot> net.
While there check that the mtu is in a valid range -- stolen from SIOCSIFMTU
case.

1 files changed, 11 insertions, 2 deletions

diff --git a/sys/net/if_tun.c b/sys/net/if_tun.c
index d57064f7f53..20b629bb6f0 100644
--- a/sys/net/if_tun.c
+++ b/sys/net/if_tun.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_tun.c,v 1.83 2007/02/06 10:49:40 claudio Exp $	*/
+/*	$OpenBSD: if_tun.c,v 1.84 2007/02/16 13:41:21 claudio Exp $	*/
 /*	$NetBSD: if_tun.c,v 1.24 1996/05/07 02:40:48 thorpej Exp $	*/
 
 /*
@@ -111,6 +111,9 @@ int	tundebug = TUN_DEBUG;
 #define TUNDEBUG(a)	/* (tundebug? printf a : 0) */
 #endif
 
+/* Only these IFF flags are changeable by TUNSIFINFO */
+#define TUN_IFF_FLAGS (IFF_UP|IFF_POINTOPOINT|IFF_MULTICAST|IFF_BROADCAST)
+
 extern int ifqmaxlen;
 
 void	tunattach(int);
@@ -612,9 +615,15 @@ tunioctl(dev_t dev, u_long cmd, caddr_t data, int flag, struct proc *p)
 	switch (cmd) {
 	case TUNSIFINFO:
 		tunp = (struct tuninfo *)data;
+		if (tunp->mtu < ETHERMIN || tunp->mtu > TUNMRU) {
+			splx(s);
+			return (EINVAL);
+		}
 		tp->tun_if.if_mtu = tunp->mtu;
 		tp->tun_if.if_type = tunp->type;
-		tp->tun_if.if_flags = tunp->flags;
+		tp->tun_if.if_flags = 
+		    (tunp->flags & TUN_IFF_FLAGS) |
+		    (tp->tun_if.if_flags & ~TUN_IFF_FLAGS);
 		tp->tun_if.if_baudrate = tunp->baudrate;
 		break;
 	case TUNGIFINFO: