svn commit: r300088 - in releng/9.3: . sys/conf sys/dev/kbd
Bryan Drewery
bdrewery at FreeBSD.org
Tue May 17 23:10:10 UTC 2016
On 5/17/16 4:07 PM, Gleb Smirnoff wrote:
> On Tue, May 17, 2016 at 03:59:26PM -0700, Bryan Drewery wrote:
> B> > Author: glebius
> B> > Date: Tue May 17 22:28:36 2016
> B> > New Revision: 300088
> B> > URL: https://svnweb.freebsd.org/changeset/base/300088
> B> >
> B> > Log:
> B> > - Use unsigned version of min() when handling arguments of SETFKEY ioctl.
> B> > - Validate that user supplied control message length in sendmsg(2)
> B> > is not negative.
> B>
> B> The sendmsg(2) change is not included here (9.3) nor in the advisory but
> B> is in the commit log. Was it intended to be changed in 9.3?
>
> That was my failure to mention SA-16:19 in commit message for 9.3. It doesn't
> apply to 9.x.
>
> B> Plus the only consumer I see is sendit() which seems to be protected
> B> already from negative values when not using COMPAT_43:
> B>
> B> > if (mp->msg_controllen < sizeof(struct cmsghdr)
> B> > #ifdef COMPAT_OLDSOCK
> B> > && mp->msg_flags != MSG_COMPAT
> B> > #endif
> B> > ) {
> B> > error = EINVAL;
> B> > goto bad;
> B> > }
> B> > error = sockargs(&control, mp->msg_control,
> B> > mp->msg_controllen, MT_CONTROL);
>
> No, it isn't protected. In the comparison (mp->msg_controllen < sizeof(struct cmsghdr))
> both values are unsigned. Later in sockargs() it is treated as signed.
Ah, I see the (u_int)buflen casts on the older code now. Thanks.
--
Regards,
Bryan Drewery
More information about the svn-src-releng
mailing list