Check lower bound of cmsg_len.

If passed cm->cmsg_len was below cmsghdr size the experssion: datalen = (caddr_t)cm + cm->cmsg_len - (caddr_t)data; would give negative result. However, in practice it would not result in a crash because the kernel would try to obtain garbage fds for given process and would error out with EBADF. PR: 124908 Submitted by: campbell mumble.net (modified a little) MFC after: 1 week
author: mjg <mjg@FreeBSD.org> 2014-06-27 05:04:36 +0000
committer: mjg <mjg@FreeBSD.org> 2014-06-27 05:04:36 +0000
commit: 21b16efdd1e1869dbbc41e35773a3d4d71b7e86b (patch)
tree: 3f0e08d9bfdd8f1f0b19b0f484ed02b88de1b794 /sys
parent: da67e0c76e97f98e65b74852e2cf173c344ea29f (diff)
download: FreeBSD-src-21b16efdd1e1869dbbc41e35773a3d4d71b7e86b.zip
FreeBSD-src-21b16efdd1e1869dbbc41e35773a3d4d71b7e86b.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index 90a815c..1b8b1b4 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -1859,7 +1859,7 @@ unp_internalize(struct mbuf **controlp, struct thread *td)
 	*controlp = NULL;
 	while (cm != NULL) {
 		if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET
-		    || cm->cmsg_len > clen) {
+		    || cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) {
 			error = EINVAL;
 			goto out;
 		}
author	mjg <mjg@FreeBSD.org>	2014-06-27 05:04:36 +0000
committer	mjg <mjg@FreeBSD.org>	2014-06-27 05:04:36 +0000
commit	21b16efdd1e1869dbbc41e35773a3d4d71b7e86b (patch)
tree	3f0e08d9bfdd8f1f0b19b0f484ed02b88de1b794 /sys
parent	da67e0c76e97f98e65b74852e2cf173c344ea29f (diff)
download	FreeBSD-src-21b16efdd1e1869dbbc41e35773a3d4d71b7e86b.zip FreeBSD-src-21b16efdd1e1869dbbc41e35773a3d4d71b7e86b.tar.gz