MFC r299507:

r299507 (by cem):

rtadvd(8): Fix a typo in full msg receive logic

Check against the size of the struct, not the pointer.  Previously, a message
with a cm_len between 9 and 23 (inclusive) could cause int msglen to underflow
and read(2) to be invoked with msglen size (implicitly cast to signed),
overrunning the caller-provided buffer.

All users of cm_recv() supply a stack buffer.

On the other hand, the rtadvd control socket appears to only be writable by the
owner, who is probably root.

While here, correct some types to be size_t or ssize_t.

CID:		1008477
Security:	unix socket remotes may overflow stack in rtadvd

1 files changed, 6 insertions, 6 deletions

diff --git a/usr.sbin/rtadvd/control.c b/usr.sbin/rtadvd/control.c
index 5e4a68b..fc6d536 100644
--- a/usr.sbin/rtadvd/control.c
+++ b/usr.sbin/rtadvd/control.c
@@ -59,7 +59,7 @@
 int
 cm_recv(int fd, char *buf)
 {
-	int n;
+	ssize_t n;
 	struct ctrl_msg_hdr	*cm;
 	char *msg;
 	struct pollfd pfds[1];
@@ -98,7 +98,7 @@ cm_recv(int fd, char *buf)
 		}
 	}
 
-	if (n != sizeof(*cm)) {
+	if (n != (ssize_t)sizeof(*cm)) {
 		syslog(LOG_WARNING,
 		    "<%s> received a too small message.", __func__);
 		goto cm_recv_err;
@@ -123,11 +123,11 @@ cm_recv(int fd, char *buf)
 	    "<%s> ctrl msg received: type=%d", __func__,
 	    cm->cm_type);
 
-	if (cm->cm_len > sizeof(cm)) {
-		int msglen = cm->cm_len - sizeof(*cm);
+	if (cm->cm_len > sizeof(*cm)) {
+		size_t msglen = cm->cm_len - sizeof(*cm);
 
 		syslog(LOG_DEBUG,
-		    "<%s> ctrl msg has payload (len=%d)", __func__,
+		    "<%s> ctrl msg has payload (len=%zu)", __func__,
 		    msglen);
 
 		for (;;) {
@@ -153,7 +153,7 @@ cm_recv(int fd, char *buf)
 			}
 			break;
 		}
-		if (n != msglen) {
+		if (n != (ssize_t)msglen) {
 			syslog(LOG_WARNING,
 			    "<%s> payload size mismatch.", __func__);
 			goto cm_recv_err;