K 10
svn:author
V 3
jhb
K 8
svn:date
V 27
2020-05-14T17:56:43.813830Z
K 7
svn:log
V 1381
MFC 360171,360179,360285,360388: Don't dereference various user pointers.

360171:
Don't access a user buffer directly from the kernel.

The handle_string callback for the ENCIOC_SETSTRING ioctl was passing
a user pointer to memcpy().  Fix by using copyin() instead.

For ENCIOC_GETSTRING ioctls, the handler was storing the user pointer
in a CCB's data_ptr field where it was indirected by other code.  Fix
this by allocating a temporary buffer (which ENCIOC_SETSTRING already
did) and copying the result out to the user buffer after the CCB has
been processed.

360179:
Don't pass a user buffer pointer as the data pointer in a CCB.

Allocate a temporary buffer in the kernel to serve as the CCB data
pointer for a pass-through transaction and use copyin/copyout to
shuffle the data to/from the user buffer.

360285:
Don't indirect user pointers directly in two 802.11s ioctls.

IEEE80211_MESH_RTCMD_ADD was invoking memcmp() to validate the
supplied address directly on the user pointer rather than first doing
a copyin() and validating the copied value.

IEEE80211_MESH_RTCMD_DELETE was passing the user pointer directly to
ieee80211_mesh_rt_del() rather than copying the user buffer into a
temporary kernel buffer.

360388:
Don't run strcmp() against strings stored in user memory.

Instead, copy the strings into a temporary buffer on the stack and
run strcmp on the copies.

END