[src/trunk]: src/sys/net route(4): Avoid unaligned access to struct rt_msghdr...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/sys/net route(4): Avoid unaligned access to struct rt_msghdr...
From: riastradh <riastradh%NetBSD.org@localhost>
Date: Thu, 30 Jun 2022 01:16:52 +0000

details:   https://anonhg.NetBSD.org/src/rev/bc0528913030
branches:  trunk
changeset: 368227:bc0528913030
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Wed Jun 29 23:15:08 2022 +0000

description:
route(4): Avoid unaligned access to struct rt_msghdr, take two.

Can't even take the address of the misaligned struct member for
memcpy.  Just copy the header out into a stack variable instead.

Reported-by: syzbot+083d9be5cb3c2e78ed1c%syzkaller.appspotmail.com@localhost

diffstat:

 sys/net/rtsock_shared.c |  11 +++++------
 1 files changed, 5 insertions(+), 6 deletions(-)

diffs (46 lines):

diff -r c9724bd01e01 -r bc0528913030 sys/net/rtsock_shared.c
--- a/sys/net/rtsock_shared.c   Wed Jun 29 22:27:12 2022 +0000
+++ b/sys/net/rtsock_shared.c   Wed Jun 29 23:15:08 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: rtsock_shared.c,v 1.20 2022/06/26 21:42:19 riastradh Exp $     */
+/*     $NetBSD: rtsock_shared.c,v 1.21 2022/06/29 23:15:08 riastradh Exp $     */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -61,7 +61,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rtsock_shared.c,v 1.20 2022/06/26 21:42:19 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rtsock_shared.c,v 1.21 2022/06/29 23:15:08 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -647,6 +647,7 @@
 COMPATNAME(route_output)(struct mbuf *m, struct socket *so)
 {
        struct sockproto proto = { .sp_family = PF_XROUTE, };
+       struct rt_xmsghdr hdr;
        struct rt_xmsghdr *rtm = NULL;
        struct rt_xmsghdr *old_rtm = NULL, *new_rtm = NULL;
        struct rtentry *rt = NULL;
@@ -658,7 +659,6 @@
        int bound = curlwp_bind();
        bool do_rt_free = false;
        struct sockaddr_storage netmask;
-       unsigned short msglen;
 
 #define senderr(e) do { error = e; goto flush;} while (/*CONSTCOND*/ 0)
        if (m == NULL || ((m->m_len < sizeof(int32_t)) &&
@@ -673,9 +673,8 @@
                info.rti_info[RTAX_DST] = NULL;
                senderr(EINVAL);
        }
-       memcpy(&msglen, &mtod(m, struct rt_xmsghdr *)->rtm_msglen,
-           sizeof(msglen));
-       if (len != msglen) {
+       m_copydata(m, 0, sizeof(hdr), &hdr);
+       if (len != hdr.rtm_msglen) {
                info.rti_info[RTAX_DST] = NULL;
                senderr(EINVAL);
        }

Prev by Date: [src/trunk]: src/sys/kern recvmmsg(2): More timespec validation.
Next by Date: [src/trunk]: src/sys/kern physio(9): Include error in KASSERTMSG.
Previous by Thread: [src/trunk]: src/sys/kern recvmmsg(2): More timespec validation.
Next by Thread: [src/trunk]: src/sys/kern physio(9): Include error in KASSERTMSG.
Indexes:

Home | Main Index | Thread Index | Old Index