diff options
| author | mjg <mjg@FreeBSD.org> | 2014-07-06 23:01:29 +0000 |
|---|---|---|
| committer | mjg <mjg@FreeBSD.org> | 2014-07-06 23:01:29 +0000 |
| commit | 12766f2ff4b9f4fb6f1b98c96b5f5207ad0c9de7 (patch) | |
| tree | 8dbdedf7e55b59823c1ba6fa38748c1811c9cf7c | |
| parent | 134eeca7553ded4c64041465105cebf1c444c9ca (diff) | |
| download | FreeBSD-src-12766f2ff4b9f4fb6f1b98c96b5f5207ad0c9de7.zip FreeBSD-src-12766f2ff4b9f4fb6f1b98c96b5f5207ad0c9de7.tar.gz | |
MFC r267947:
Check lower bound of cmsg_len.
If passed cm->cmsg_len was below cmsghdr size the experssion:
datalen = (caddr_t)cm + cm->cmsg_len - (caddr_t)data;
would give negative result. However, in practice it would not
result in a crash because the kernel would try to obtain garbage fds
for given process and would error out with EBADF.
PR: 124908
Submitted by: campbell mumble.net (modified a little)
| -rw-r--r-- | sys/kern/uipc_usrreq.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index 87322da..4fe59fc 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -1859,7 +1859,7 @@ unp_internalize(struct mbuf **controlp, struct thread *td) *controlp = NULL; while (cm != NULL) { if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET - || cm->cmsg_len > clen) { + || cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) { error = EINVAL; goto out; } |
