diff options
| author | das <das@FreeBSD.org> | 2005-03-23 08:28:00 +0000 |
|---|---|---|
| committer | das <das@FreeBSD.org> | 2005-03-23 08:28:00 +0000 |
| commit | fbf7a9b2eeca945d9a6947410d6fa2b1c321d366 (patch) | |
| tree | b3ed4d07a00684ce74c0a697ddaf060e2646caae | |
| parent | a556c42bd80040034647976d365ac3e4b064bacb (diff) | |
| download | FreeBSD-src-fbf7a9b2eeca945d9a6947410d6fa2b1c321d366.zip FreeBSD-src-fbf7a9b2eeca945d9a6947410d6fa2b1c321d366.tar.gz | |
Reject packets larger than IP_MAXPACKET in linux_sendto() for sockets
with the IP_HDRINCL option set. Without this change, a Linux process
with access to a raw socket could cause a kernel panic. Raw sockets
must be created by root, and are generally not consigned to untrusted
applications; hence, the security implications of this bug are
minimal. I believe this only affects 6-CURRENT on or after 2005-01-30.
Found by: Coverity Prevent analysis tool
Security: Local DOS
| -rw-r--r-- | sys/compat/linux/linux_socket.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/compat/linux/linux_socket.c b/sys/compat/linux/linux_socket.c index 9ae7662..950e170 100644 --- a/sys/compat/linux/linux_socket.c +++ b/sys/compat/linux/linux_socket.c @@ -452,8 +452,9 @@ linux_sendto_hdrincl(struct thread *td, struct linux_sendto_args *linux_args) struct iovec aiov[1]; int error; - /* Check the packet isn't too small before we mess with it */ - if (linux_args->len < linux_ip_copysize) + /* Check that the packet isn't too big or too small. */ + if (linux_args->len < linux_ip_copysize || + linux_args->len > IP_MAXPACKET) return (EINVAL); packet = (struct ip *)malloc(linux_args->len, M_TEMP, M_WAITOK); |
