FreeBSD Mail Archives

Date:      Fri, 27 Jun 2014 05:04:36 +0000 (UTC)
From:      Mateusz Guzik <mjg@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r267947 - head/sys/kern
Message-ID:  <201406270504.s5R54aCa045692@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help

Author: mjg
Date: Fri Jun 27 05:04:36 2014
New Revision: 267947
URL: http://svnweb.freebsd.org/changeset/base/267947

Log:
  Check lower bound of cmsg_len.
  
  If passed cm->cmsg_len was below cmsghdr size the experssion:
  datalen = (caddr_t)cm + cm->cmsg_len - (caddr_t)data;
  
  would give negative result. However, in practice it would not
  result in a crash because the kernel would try to obtain garbage fds
  for given process and would error out with EBADF.
  
  PR:		124908
  Submitted by:	campbell mumble.net (modified a little)
  MFC after:	1 week

Modified:
  head/sys/kern/uipc_usrreq.c

Modified: head/sys/kern/uipc_usrreq.c
==============================================================================
--- head/sys/kern/uipc_usrreq.c	Fri Jun 27 04:17:05 2014	(r267946)
+++ head/sys/kern/uipc_usrreq.c	Fri Jun 27 05:04:36 2014	(r267947)
@@ -1859,7 +1859,7 @@ unp_internalize(struct mbuf **controlp, 
 	*controlp = NULL;
 	while (cm != NULL) {
 		if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET
-		    || cm->cmsg_len > clen) {
+		    || cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) {
 			error = EINVAL;
 			goto out;
 		}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201406270504.s5R54aCa045692>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation