Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-8]: src/sys/netinet6 Pull up following revision(s) (requested by ...



details:   https://anonhg.NetBSD.org/src/rev/3ba1db418f05
branches:  netbsd-8
changeset: 445624:3ba1db418f05
user:      martin <martin%NetBSD.org@localhost>
date:      Tue Nov 06 14:44:22 2018 +0000

description:
Pull up following revision(s) (requested by ozaki-r in ticket #1081):

        sys/netinet6/udp6_usrreq.c: revision 1.143
        (applied to udp6_output.c, due to refactoring in -current)

Restore the length check of a sockaddr passed from userland at udp6_output

A sockaddr with invalid length could be passed to the network stack resulting in
a kernel panic like this:

        panic: sockaddr_copy: source too long, 28 < 128 bytes
        fatal breakpoint trap in supervisor mode
        trap type 1 code 0 rip 0xffffffff80216c35 cs 0x8 rflags 0x246
cr2 0x7f7ff7ef3000 ilevel 0x4 rsp 0xffff80003308b690
        curlwp 0xfffffe803e11ca40 pid 48.1 lowest kstack 0xffff8000330852c0
        Stopped in pid 48.1 (a.out) at  netbsd:breakpoint+0x5:  leave
        db{1}> bt
        breakpoint() at netbsd:breakpoint+0x5
        vpanic() at netbsd:vpanic+0x140
        panic() at netbsd:panic+0x3c
        sockaddr_copy() at netbsd:sockaddr_copy+0x95
        rtcache_setdst() at netbsd:rtcache_setdst+0x73
        rtcache_lookup2() at netbsd:rtcache_lookup2+0x56
        in6_selectroute() at netbsd:in6_selectroute+0x184
        in6_selectsrc() at netbsd:in6_selectsrc+0x119
        udp6_output() at netbsd:udp6_output+0x25e
        udp6_send_wrapper() at netbsd:udp6_send_wrapper+0x8a
        sosend() at netbsd:sosend+0x7bf
        do_sys_sendmsg_so() at netbsd:do_sys_sendmsg_so+0x28e
        do_sys_sendmsg() at netbsd:do_sys_sendmsg+0x89
        sys_sendto() at netbsd:sys_sendto+0x5c
        syscall() at netbsd:syscall+0x1ed
        --- syscall (number 133) ---
        7f7ff790173a:

Reported by Paul Ripke

diffstat:

 sys/netinet6/udp6_output.c |  8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diffs (29 lines):

diff -r fbf10164c195 -r 3ba1db418f05 sys/netinet6/udp6_output.c
--- a/sys/netinet6/udp6_output.c        Tue Nov 06 14:38:58 2018 +0000
+++ b/sys/netinet6/udp6_output.c        Tue Nov 06 14:44:22 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: udp6_output.c,v 1.55.6.1 2018/11/04 11:14:09 martin Exp $      */
+/*     $NetBSD: udp6_output.c,v 1.55.6.2 2018/11/06 14:44:22 martin Exp $      */
 /*     $KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $    */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.55.6.1 2018/11/04 11:14:09 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.55.6.2 2018/11/06 14:44:22 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -139,6 +139,10 @@
 
        if (addr6) {
                sin6 = addr6;
+               if (sin6->sin6_len != sizeof(*sin6)) {
+                       error = EINVAL;
+                       goto release;
+               }
                if (sin6->sin6_family != AF_INET6) {
                        error = EAFNOSUPPORT;
                        goto release;



Home | Main Index | Thread Index | Old Index