svn commit: r268341 - stable/10/sys/kern
Mateusz Guzik
mjg at FreeBSD.org
Sun Jul 6 23:01:30 UTC 2014
Author: mjg
Date: Sun Jul 6 23:01:29 2014
New Revision: 268341
URL: http://svnweb.freebsd.org/changeset/base/268341
Log:
MFC r267947:
Check lower bound of cmsg_len.
If passed cm->cmsg_len was below cmsghdr size the experssion:
datalen = (caddr_t)cm + cm->cmsg_len - (caddr_t)data;
would give negative result. However, in practice it would not
result in a crash because the kernel would try to obtain garbage fds
for given process and would error out with EBADF.
PR: 124908
Submitted by: campbell mumble.net (modified a little)
Modified:
stable/10/sys/kern/uipc_usrreq.c
Modified: stable/10/sys/kern/uipc_usrreq.c
==============================================================================
--- stable/10/sys/kern/uipc_usrreq.c Sun Jul 6 22:58:53 2014 (r268340)
+++ stable/10/sys/kern/uipc_usrreq.c Sun Jul 6 23:01:29 2014 (r268341)
@@ -1859,7 +1859,7 @@ unp_internalize(struct mbuf **controlp,
*controlp = NULL;
while (cm != NULL) {
if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET
- || cm->cmsg_len > clen) {
+ || cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) {
error = EINVAL;
goto out;
}
More information about the svn-src-stable
mailing list