This is xnu-11215.1.10. See this file in:
#include <stdio.h>
#include <assert.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/sys_domain.h>
#include <sys/kern_control.h>
#include <darwintest.h>
#define RVI_CONTROL_NAME "com.apple.net.rvi_control"
#define RVI_COMMAND_GET_INTERFACE 0x20
T_GLOBAL_META(
T_META_NAMESPACE("xnu.net"),
T_META_RADAR_COMPONENT_NAME("xnu"),
T_META_RADAR_COMPONENT_VERSION("networking"),
T_META_ENABLED(TARGET_OS_OSX),
T_META_ASROOT_(1)
);
T_DECL(rvi_control_get_interface, "getsockopt on RVI control-socket triggering out-of-bounds memory access", T_META_TAG_VM_PREFERRED)
{
int fd;
T_ASSERT_POSIX_SUCCESS(fd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL), NULL);
struct ctl_info ctl_info = {
.ctl_name = RVI_CONTROL_NAME
};
T_ASSERT_POSIX_SUCCESS(ioctl(fd, CTLIOCGINFO, &ctl_info), NULL);
struct sockaddr_ctl sockaddr_ctl = {
.sc_len = sizeof(struct sockaddr_ctl),
.sc_family = AF_SYSTEM,
.ss_sysaddr = AF_SYS_CONTROL,
.sc_id = ctl_info.ctl_id,
.sc_unit = 0
};
T_ASSERT_POSIX_SUCCESS(connect(fd, (const struct sockaddr *)&sockaddr_ctl, sizeof(struct sockaddr_ctl)), NULL);
char data[10];
socklen_t data_len = 1;
T_ASSERT_POSIX_SUCCESS(getsockopt(fd, SYSPROTO_CONTROL, RVI_COMMAND_GET_INTERFACE, &data, &data_len), NULL);
data_len = 5;
T_ASSERT_POSIX_SUCCESS(getsockopt(fd, SYSPROTO_CONTROL, RVI_COMMAND_GET_INTERFACE, &data, &data_len), NULL);
T_ASSERT_EQ(data_len, 5, "data_len == 5", NULL);
data_len = 10;
T_ASSERT_POSIX_SUCCESS(getsockopt(fd, SYSPROTO_CONTROL, RVI_COMMAND_GET_INTERFACE, &data, &data_len), NULL);
T_ASSERT_EQ(data_len, 5, "data_len == 5", NULL);
T_PASS("success");
}