[Bug 218919] setsockopt() accepts too long arguments allowing programmer errors

Thu Apr 27 17:39:34 UTC 2017

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218919

            Bug ID: 218919
           Summary: setsockopt() accepts too long arguments allowing
                    programmer errors
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-net at FreeBSD.org
          Reporter: brooks at FreeBSD.org

When a programmer mistakenly passes a size_t to a setsockopt() command that
takes an int, the sooptcopyin() function ignores the extra size.  On
little-endian systems, the result works anyway.  On big-endian systems the
wrong bits of the size get copied resulting in failure.  An example of this can
be seen in https://reviews.freebsd.org/D10518.

Due to the use of unions as arguments to some setsockopt() commands, it is
somewhat clear why sooptcopyin() takes a length and minlength.  It's less clear
to me that over-length parameters should be allowed and in the case of
int/size_t confusion the current behavior is just wrong.

https://reviews.freebsd.org/D10519 contains one possible partial fix, but I
think a larger sweep is required and something more like a sooptcopyin_exact()
might be a better approach.

-- 
You are receiving this mail because:
You are the assignee for the bug.