Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 25 May 2022 08:31:18 GMT
From:      Kristof Provost <kp@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 94cea2fc0761 - stable/13 - rtsock: fix a stack overflow
Message-ID:  <202205250831.24P8VILi075759@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/13 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=94cea2fc07611a2f74641b4cac8c4d245826f5f7

commit 94cea2fc07611a2f74641b4cac8c4d245826f5f7
Author:     Kurosawa Takahiro <takahiro.kurosawa@gmail.com>
AuthorDate: 2022-05-13 17:58:11 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-05-25 08:13:34 +0000

    rtsock: fix a stack overflow
    
    struct sockaddr is not sufficient for buffer that can hold any
    sockaddr_* structure. struct sockaddr_storage should be used.
    
    Test:
    ifconfig epair create
    ifconfig epair0a inet6 add 2001:db8::1 up
    ndp -s 2001:db8::2 02:86:98:2e:96:0b proxy # this triggers kernel stack overflow
    
    Reviewed by:    markj, kp
    Differential Revision:  https://reviews.freebsd.org/D35188
    
    (cherry picked from commit 9573cc35555eb0da35da5712462de9f6107fb974)
---
 sys/net/rtsock.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index 1f898c739725..5f386a2142f6 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -788,7 +788,7 @@ handle_rtm_get(struct rt_addrinfo *info, u_int fibnum,
 	 * TODO: move this logic to userland.
 	 */
 	if (rtm->rtm_flags & RTF_ANNOUNCE) {
-		struct sockaddr laddr;
+		struct sockaddr_storage laddr;
 
 		if (nh->nh_ifp != NULL &&
 		    nh->nh_ifp->if_type == IFT_PROPVIRTUAL) {
@@ -798,17 +798,17 @@ handle_rtm_get(struct rt_addrinfo *info, u_int fibnum,
 					RT_ALL_FIBS);
 			if (ifa != NULL)
 				rt_maskedcopy(ifa->ifa_addr,
-					      &laddr,
+					      (struct sockaddr *)&laddr,
 					      ifa->ifa_netmask);
 		} else
 			rt_maskedcopy(nh->nh_ifa->ifa_addr,
-				      &laddr,
+				      (struct sockaddr *)&laddr,
 				      nh->nh_ifa->ifa_netmask);
 		/* 
 		 * refactor rt and no lock operation necessary
 		 */
-		rc->rc_rt = (struct rtentry *)rnh->rnh_matchaddr(&laddr,
-		    &rnh->head);
+		rc->rc_rt = (struct rtentry *)rnh->rnh_matchaddr(
+		    (struct sockaddr *)&laddr, &rnh->head);
 		if (rc->rc_rt == NULL) {
 			RIB_RUNLOCK(rnh);
 			return (ESRCH);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202205250831.24P8VILi075759>