From db918dfad5688e9a2980e5a898e349c871ff9524 Mon Sep 17 00:00:00 2001 From: julian Date: Tue, 15 Jul 1997 23:25:32 +0000 Subject: Finally track down the reason for some of my occasional kernel crashes. Route(1) has a bug that sends a bad message to the kernel. The kernel trusts it and crashes. Add some sanity checks so that we don't trust the user quite as much any more. (also add a comment in if_ethersubr.c) --- sys/net/rtsock.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) (limited to 'sys/net/rtsock.c') diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c index ae1a900..79149e5 100644 --- a/sys/net/rtsock.c +++ b/sys/net/rtsock.c @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * @(#)rtsock.c 8.5 (Berkeley) 11/2/94 - * $Id: rtsock.c,v 1.26 1997/02/22 09:41:15 peter Exp $ + * $Id: rtsock.c,v 1.27 1997/04/27 20:01:00 wollman Exp $ */ @@ -506,6 +506,10 @@ rt_setmetrics(which, in, out) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len)) +/* + * Extract the addresses of the passed sockaddrs. + * Do a little sanity checking so as to avoid bad memory references. + */ static void rt_xaddrs(cp, cplim, rtinfo) register caddr_t cp, cplim; @@ -515,9 +519,23 @@ rt_xaddrs(cp, cplim, rtinfo) register int i; bzero(rtinfo->rti_info, sizeof(rtinfo->rti_info)); - for (i = 0; (i < RTAX_MAX) && (cp < cplim); i++) { + for (i = 0; i < RTAX_MAX; i++) { if ((rtinfo->rti_addrs & (1 << i)) == 0) continue; + /* + * It won't fit. Pretend it doesn't exist. + * Would return EINVAL if not void + */ + if ( (cp + sa->sa_len) > cplim ) + return; + /* + * there are no more.. quit now + * If there are more bits, they are in error. + * I've seen this. route(1) can evidently generate these. + * This causes kernel to core dump. + */ + if (sa->sa_len == 0) + return; rtinfo->rti_info[i] = sa = (struct sockaddr *)cp; ADVANCE(cp, sa); } -- cgit v1.1