git: 6f028e91084b - stable/13 - ng_hci: Add sockaddr validation to sendto()

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Mon, 29 Apr 2024 14:13:14 UTC
The branch stable/13 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=6f028e91084bfedb9a5ca99c857a9c30a094beb5

commit 6f028e91084bfedb9a5ca99c857a9c30a094beb5
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-04-22 15:48:00 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-04-29 14:05:34 +0000

    ng_hci: Add sockaddr validation to sendto()
    
    ng_btsocket_hci_raw_send() wasn't verifying that the destination address
    specified by sendto() is large enough to fill a struct sockaddr_hci.
    Thus, when copying the socket address into an mbuf,
    ng_btsocket_hci_raw_send() may read past the end of the input sockaddr
    while copying.
    
    In practice this is effectively harmless since
    ng_btsocket_hci_raw_output() only uses the address to identify a
    netgraph node.
    
    Reported by:    Oliver Sieber <oliver@secfault-security.com>
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 7f7b4926a779845116913c85ecbb10527daeab02)
---
 sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c b/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c
index d4a447f4254f..de25f5369ffa 100644
--- a/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c
+++ b/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c
@@ -1610,6 +1610,17 @@ ng_btsocket_hci_raw_send(struct socket *so, int flags, struct mbuf *m,
 		goto drop;
 	}
 
+	if (sa != NULL) {
+		if (sa->sa_family != AF_BLUETOOTH) {
+			error = EAFNOSUPPORT;
+			goto drop;
+		}
+		if (sa->sa_len != sizeof(struct sockaddr_hci)) {
+			error = EINVAL;
+			goto drop;
+		}
+	}
+
 	mtx_lock(&pcb->pcb_mtx);
 
 	error = ng_btsocket_hci_raw_filter(pcb, m, 0);