Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-8]: src/sys/netinet6 Pull up following revision(s) (requested by ...
details: https://anonhg.NetBSD.org/src/rev/3ba1db418f05
branches: netbsd-8
changeset: 445624:3ba1db418f05
user: martin <martin%NetBSD.org@localhost>
date: Tue Nov 06 14:44:22 2018 +0000
description:
Pull up following revision(s) (requested by ozaki-r in ticket #1081):
sys/netinet6/udp6_usrreq.c: revision 1.143
(applied to udp6_output.c, due to refactoring in -current)
Restore the length check of a sockaddr passed from userland at udp6_output
A sockaddr with invalid length could be passed to the network stack resulting in
a kernel panic like this:
panic: sockaddr_copy: source too long, 28 < 128 bytes
fatal breakpoint trap in supervisor mode
trap type 1 code 0 rip 0xffffffff80216c35 cs 0x8 rflags 0x246
cr2 0x7f7ff7ef3000 ilevel 0x4 rsp 0xffff80003308b690
curlwp 0xfffffe803e11ca40 pid 48.1 lowest kstack 0xffff8000330852c0
Stopped in pid 48.1 (a.out) at netbsd:breakpoint+0x5: leave
db{1}> bt
breakpoint() at netbsd:breakpoint+0x5
vpanic() at netbsd:vpanic+0x140
panic() at netbsd:panic+0x3c
sockaddr_copy() at netbsd:sockaddr_copy+0x95
rtcache_setdst() at netbsd:rtcache_setdst+0x73
rtcache_lookup2() at netbsd:rtcache_lookup2+0x56
in6_selectroute() at netbsd:in6_selectroute+0x184
in6_selectsrc() at netbsd:in6_selectsrc+0x119
udp6_output() at netbsd:udp6_output+0x25e
udp6_send_wrapper() at netbsd:udp6_send_wrapper+0x8a
sosend() at netbsd:sosend+0x7bf
do_sys_sendmsg_so() at netbsd:do_sys_sendmsg_so+0x28e
do_sys_sendmsg() at netbsd:do_sys_sendmsg+0x89
sys_sendto() at netbsd:sys_sendto+0x5c
syscall() at netbsd:syscall+0x1ed
--- syscall (number 133) ---
7f7ff790173a:
Reported by Paul Ripke
diffstat:
sys/netinet6/udp6_output.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diffs (29 lines):
diff -r fbf10164c195 -r 3ba1db418f05 sys/netinet6/udp6_output.c
--- a/sys/netinet6/udp6_output.c Tue Nov 06 14:38:58 2018 +0000
+++ b/sys/netinet6/udp6_output.c Tue Nov 06 14:44:22 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: udp6_output.c,v 1.55.6.1 2018/11/04 11:14:09 martin Exp $ */
+/* $NetBSD: udp6_output.c,v 1.55.6.2 2018/11/06 14:44:22 martin Exp $ */
/* $KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.55.6.1 2018/11/04 11:14:09 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.55.6.2 2018/11/06 14:44:22 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -139,6 +139,10 @@
if (addr6) {
sin6 = addr6;
+ if (sin6->sin6_len != sizeof(*sin6)) {
+ error = EINVAL;
+ goto release;
+ }
if (sin6->sin6_family != AF_INET6) {
error = EAFNOSUPPORT;
goto release;
Home |
Main Index |
Thread Index |
Old Index