Add length check to sbcreatecontrol().

  Now this check is necessary because IPv6 source routing might use
  control data bigger than MLEN. (e.g. 16bytes IPv6 addr x 23 hops)
  Actually mbuf cluster should be used in uipc_socket.c:sbcreatecontrol()
  and uipc_syscalls.c:sockargs() when data size is bigger then MLEN,
  and such patches were already in KAME environment and have been
  confirmed to work well. I just forgot to merge them into 4.0, sorry.

  For safety, I'll postpone such patches until after 4.0 release.
  The effect of postponement is followings.
    -Ping6 source routing hops are limitted to around 6 or so.
    -If some apps do setsockopt IPV6_RTHDR and try to receive
     incoming IPv6 source routing info, it can't receive more
     than 6 hops source routing info.
     (But currently, no apps seems to be doing it.)

Approved by: jkh

2 files changed, 4 insertions, 0 deletions

diff --git a/sys/kern/uipc_sockbuf.c b/sys/kern/uipc_sockbuf.c
index d71806b..c1072b7 100644
--- a/sys/kern/uipc_sockbuf.c
+++ b/sys/kern/uipc_sockbuf.c
@@ -839,6 +839,8 @@ sbcreatecontrol(p, size, type, level)
 	register struct cmsghdr *cp;
 	struct mbuf *m;
 
+	if ((u_int)size > MLEN)
+		return ((struct mbuf *) NULL);
 	if ((m = m_get(M_DONTWAIT, MT_CONTROL)) == NULL)
 		return ((struct mbuf *) NULL);
 	cp = mtod(m, struct cmsghdr *);
diff --git a/sys/kern/uipc_socket2.c b/sys/kern/uipc_socket2.c
index d71806b..c1072b7 100644
--- a/sys/kern/uipc_socket2.c
+++ b/sys/kern/uipc_socket2.c
@@ -839,6 +839,8 @@ sbcreatecontrol(p, size, type, level)
 	register struct cmsghdr *cp;
 	struct mbuf *m;
 
+	if ((u_int)size > MLEN)
+		return ((struct mbuf *) NULL);
 	if ((m = m_get(M_DONTWAIT, MT_CONTROL)) == NULL)
 		return ((struct mbuf *) NULL);
 	cp = mtod(m, struct cmsghdr *);