diff options
author | shin <shin@FreeBSD.org> | 2000-02-24 19:21:26 +0000 |
---|---|---|
committer | shin <shin@FreeBSD.org> | 2000-02-24 19:21:26 +0000 |
commit | a2e9fa03c1cb7574c2bcf396e49a8f8cfaac29b6 (patch) | |
tree | 49bc7a9f71f328c9003ac97697f2a16367d6d074 /sys | |
parent | 7ba9efa321a25a4311f0cc87a5a92dbfabdc74e5 (diff) | |
download | FreeBSD-src-a2e9fa03c1cb7574c2bcf396e49a8f8cfaac29b6.zip FreeBSD-src-a2e9fa03c1cb7574c2bcf396e49a8f8cfaac29b6.tar.gz |
Add length check to sbcreatecontrol().
Now this check is necessary because IPv6 source routing might use
control data bigger than MLEN. (e.g. 16bytes IPv6 addr x 23 hops)
Actually mbuf cluster should be used in uipc_socket.c:sbcreatecontrol()
and uipc_syscalls.c:sockargs() when data size is bigger then MLEN,
and such patches were already in KAME environment and have been
confirmed to work well. I just forgot to merge them into 4.0, sorry.
For safety, I'll postpone such patches until after 4.0 release.
The effect of postponement is followings.
-Ping6 source routing hops are limitted to around 6 or so.
-If some apps do setsockopt IPV6_RTHDR and try to receive
incoming IPv6 source routing info, it can't receive more
than 6 hops source routing info.
(But currently, no apps seems to be doing it.)
Approved by: jkh
Diffstat (limited to 'sys')
-rw-r--r-- | sys/kern/uipc_sockbuf.c | 2 | ||||
-rw-r--r-- | sys/kern/uipc_socket2.c | 2 |
2 files changed, 4 insertions, 0 deletions
diff --git a/sys/kern/uipc_sockbuf.c b/sys/kern/uipc_sockbuf.c index d71806b..c1072b7 100644 --- a/sys/kern/uipc_sockbuf.c +++ b/sys/kern/uipc_sockbuf.c @@ -839,6 +839,8 @@ sbcreatecontrol(p, size, type, level) register struct cmsghdr *cp; struct mbuf *m; + if ((u_int)size > MLEN) + return ((struct mbuf *) NULL); if ((m = m_get(M_DONTWAIT, MT_CONTROL)) == NULL) return ((struct mbuf *) NULL); cp = mtod(m, struct cmsghdr *); diff --git a/sys/kern/uipc_socket2.c b/sys/kern/uipc_socket2.c index d71806b..c1072b7 100644 --- a/sys/kern/uipc_socket2.c +++ b/sys/kern/uipc_socket2.c @@ -839,6 +839,8 @@ sbcreatecontrol(p, size, type, level) register struct cmsghdr *cp; struct mbuf *m; + if ((u_int)size > MLEN) + return ((struct mbuf *) NULL); if ((m = m_get(M_DONTWAIT, MT_CONTROL)) == NULL) return ((struct mbuf *) NULL); cp = mtod(m, struct cmsghdr *); |