git: 6f028e91084b - stable/13 - ng_hci: Add sockaddr validation to sendto()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 29 Apr 2024 14:13:14 UTC
The branch stable/13 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=6f028e91084bfedb9a5ca99c857a9c30a094beb5 commit 6f028e91084bfedb9a5ca99c857a9c30a094beb5 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2024-04-22 15:48:00 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2024-04-29 14:05:34 +0000 ng_hci: Add sockaddr validation to sendto() ng_btsocket_hci_raw_send() wasn't verifying that the destination address specified by sendto() is large enough to fill a struct sockaddr_hci. Thus, when copying the socket address into an mbuf, ng_btsocket_hci_raw_send() may read past the end of the input sockaddr while copying. In practice this is effectively harmless since ng_btsocket_hci_raw_output() only uses the address to identify a netgraph node. Reported by: Oliver Sieber <oliver@secfault-security.com> MFC after: 1 week Sponsored by: The FreeBSD Foundation (cherry picked from commit 7f7b4926a779845116913c85ecbb10527daeab02) --- sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c b/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c index d4a447f4254f..de25f5369ffa 100644 --- a/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c +++ b/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c @@ -1610,6 +1610,17 @@ ng_btsocket_hci_raw_send(struct socket *so, int flags, struct mbuf *m, goto drop; } + if (sa != NULL) { + if (sa->sa_family != AF_BLUETOOTH) { + error = EAFNOSUPPORT; + goto drop; + } + if (sa->sa_len != sizeof(struct sockaddr_hci)) { + error = EINVAL; + goto drop; + } + } + mtx_lock(&pcb->pcb_mtx); error = ng_btsocket_hci_raw_filter(pcb, m, 0);