MFC r299507:

r299507 (by cem):

rtadvd(8): Fix a typo in full msg receive logic

Check against the size of the struct, not the pointer.  Previously, a message
with a cm_len between 9 and 23 (inclusive) could cause int msglen to underflow
and read(2) to be invoked with msglen size (implicitly cast to signed),
overrunning the caller-provided buffer.

All users of cm_recv() supply a stack buffer.

On the other hand, the rtadvd control socket appears to only be writable by the
owner, who is probably root.

While here, correct some types to be size_t or ssize_t.

CID:		1008477
Security:	unix socket remotes may overflow stack in rtadvd

0 files changed, 0 insertions, 0 deletions