svn commit: r267947 - head/sys/kern
Mateusz Guzik
mjg at FreeBSD.org
Fri Jun 27 05:04:37 UTC 2014
Author: mjg
Date: Fri Jun 27 05:04:36 2014
New Revision: 267947
URL: http://svnweb.freebsd.org/changeset/base/267947
Log:
Check lower bound of cmsg_len.
If passed cm->cmsg_len was below cmsghdr size the experssion:
datalen = (caddr_t)cm + cm->cmsg_len - (caddr_t)data;
would give negative result. However, in practice it would not
result in a crash because the kernel would try to obtain garbage fds
for given process and would error out with EBADF.
PR: 124908
Submitted by: campbell mumble.net (modified a little)
MFC after: 1 week
Modified:
head/sys/kern/uipc_usrreq.c
Modified: head/sys/kern/uipc_usrreq.c
==============================================================================
--- head/sys/kern/uipc_usrreq.c Fri Jun 27 04:17:05 2014 (r267946)
+++ head/sys/kern/uipc_usrreq.c Fri Jun 27 05:04:36 2014 (r267947)
@@ -1859,7 +1859,7 @@ unp_internalize(struct mbuf **controlp,
*controlp = NULL;
while (cm != NULL) {
if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET
- || cm->cmsg_len > clen) {
+ || cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) {
error = EINVAL;
goto out;
}
More information about the svn-src-head
mailing list