Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 10 Jun 2016 18:02:52 +0000 (UTC)
From:      Garrett Cooper <ngie@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r301803 - stable/10/usr.sbin/rtadvd
Message-ID:  <201606101802.u5AI2qYm022033@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: ngie
Date: Fri Jun 10 18:02:51 2016
New Revision: 301803
URL: https://svnweb.freebsd.org/changeset/base/301803

Log:
  MFC r299507:
  r299507 (by cem):
  
  rtadvd(8): Fix a typo in full msg receive logic
  
  Check against the size of the struct, not the pointer.  Previously, a message
  with a cm_len between 9 and 23 (inclusive) could cause int msglen to underflow
  and read(2) to be invoked with msglen size (implicitly cast to signed),
  overrunning the caller-provided buffer.
  
  All users of cm_recv() supply a stack buffer.
  
  On the other hand, the rtadvd control socket appears to only be writable by the
  owner, who is probably root.
  
  While here, correct some types to be size_t or ssize_t.
  
  CID:		1008477
  Security:	unix socket remotes may overflow stack in rtadvd

Modified:
  stable/10/usr.sbin/rtadvd/control.c
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/usr.sbin/rtadvd/control.c
==============================================================================
--- stable/10/usr.sbin/rtadvd/control.c	Fri Jun 10 17:59:30 2016	(r301802)
+++ stable/10/usr.sbin/rtadvd/control.c	Fri Jun 10 18:02:51 2016	(r301803)
@@ -59,7 +59,7 @@
 int
 cm_recv(int fd, char *buf)
 {
-	int n;
+	ssize_t n;
 	struct ctrl_msg_hdr	*cm;
 	char *msg;
 	struct pollfd pfds[1];
@@ -98,7 +98,7 @@ cm_recv(int fd, char *buf)
 		}
 	}
 
-	if (n != sizeof(*cm)) {
+	if (n != (ssize_t)sizeof(*cm)) {
 		syslog(LOG_WARNING,
 		    "<%s> received a too small message.", __func__);
 		goto cm_recv_err;
@@ -123,11 +123,11 @@ cm_recv(int fd, char *buf)
 	    "<%s> ctrl msg received: type=%d", __func__,
 	    cm->cm_type);
 
-	if (cm->cm_len > sizeof(cm)) {
-		int msglen = cm->cm_len - sizeof(*cm);
+	if (cm->cm_len > sizeof(*cm)) {
+		size_t msglen = cm->cm_len - sizeof(*cm);
 
 		syslog(LOG_DEBUG,
-		    "<%s> ctrl msg has payload (len=%d)", __func__,
+		    "<%s> ctrl msg has payload (len=%zu)", __func__,
 		    msglen);
 
 		for (;;) {
@@ -153,7 +153,7 @@ cm_recv(int fd, char *buf)
 			}
 			break;
 		}
-		if (n != msglen) {
+		if (n != (ssize_t)msglen) {
 			syslog(LOG_WARNING,
 			    "<%s> payload size mismatch.", __func__);
 			goto cm_recv_err;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201606101802.u5AI2qYm022033>