Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 29 Apr 2024 14:12:36 GMT
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 28fcfebdaf0f - stable/14 - ng_hci: Add sockaddr validation to sendto()
Message-ID:  <202404291412.43TECaCS045866@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/14 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=28fcfebdaf0f43f2c006453c778494567fc0a6c4

commit 28fcfebdaf0f43f2c006453c778494567fc0a6c4
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-04-22 15:48:00 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-04-29 14:11:07 +0000

    ng_hci: Add sockaddr validation to sendto()
    
    ng_btsocket_hci_raw_send() wasn't verifying that the destination address
    specified by sendto() is large enough to fill a struct sockaddr_hci.
    Thus, when copying the socket address into an mbuf,
    ng_btsocket_hci_raw_send() may read past the end of the input sockaddr
    while copying.
    
    In practice this is effectively harmless since
    ng_btsocket_hci_raw_output() only uses the address to identify a
    netgraph node.
    
    Reported by:    Oliver Sieber <oliver@secfault-security.com>
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 7f7b4926a779845116913c85ecbb10527daeab02)
---
 sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c b/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c
index 935991696929..755e26f1f534 100644
--- a/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c
+++ b/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c
@@ -1608,6 +1608,17 @@ ng_btsocket_hci_raw_send(struct socket *so, int flags, struct mbuf *m,
 		goto drop;
 	}
 
+	if (sa != NULL) {
+		if (sa->sa_family != AF_BLUETOOTH) {
+			error = EAFNOSUPPORT;
+			goto drop;
+		}
+		if (sa->sa_len != sizeof(struct sockaddr_hci)) {
+			error = EINVAL;
+			goto drop;
+		}
+	}
+
 	mtx_lock(&pcb->pcb_mtx);
 
 	error = ng_btsocket_hci_raw_filter(pcb, m, 0);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202404291412.43TECaCS045866>