Reject packets larger than IP_MAXPACKET in linux_sendto() for sockets

with the IP_HDRINCL option set.  Without this change, a Linux process
with access to a raw socket could cause a kernel panic.  Raw sockets
must be created by root, and are generally not consigned to untrusted
applications; hence, the security implications of this bug are
minimal.  I believe this only affects 6-CURRENT on or after 2005-01-30.

Found by:	Coverity Prevent analysis tool
Security:	Local DOS

1 files changed, 3 insertions, 2 deletions

diff --git a/sys/compat/linux/linux_socket.c b/sys/compat/linux/linux_socket.c
index 9ae7662..950e170 100644
--- a/sys/compat/linux/linux_socket.c
+++ b/sys/compat/linux/linux_socket.c
@@ -452,8 +452,9 @@ linux_sendto_hdrincl(struct thread *td, struct linux_sendto_args *linux_args)
 	struct iovec aiov[1];
 	int error;
 
-	/* Check the packet isn't too small before we mess with it */
-	if (linux_args->len < linux_ip_copysize)
+	/* Check that the packet isn't too big or too small. */
+	if (linux_args->len < linux_ip_copysize ||
+	    linux_args->len > IP_MAXPACKET)
 		return (EINVAL);
 
 	packet = (struct ip *)malloc(linux_args->len, M_TEMP, M_WAITOK);