Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/net route(4): Use m_copydata, not misaligned mtod struct...
details: https://anonhg.NetBSD.org/src/rev/ff25e0fb53d0
branches: trunk
changeset: 368253:ff25e0fb53d0
user: riastradh <riastradh%NetBSD.org@localhost>
date: Fri Jul 01 21:22:23 2022 +0000
description:
route(4): Use m_copydata, not misaligned mtod struct access.
XXX Maybe this should check rtm_len too like route_output does.
Reported-by: syzbot+d37eaf0a26097572bbbc%syzkaller.appspotmail.com@localhost
https://syzkaller.appspot.com/bug?id=3cdfefd8b7938c9606ed68b4191e97fabdbd7b08
diffstat:
sys/net/rtsock_shared.c | 25 +++++++++++++------------
1 files changed, 13 insertions(+), 12 deletions(-)
diffs (73 lines):
diff -r 3c4f36975666 -r ff25e0fb53d0 sys/net/rtsock_shared.c
--- a/sys/net/rtsock_shared.c Fri Jul 01 20:53:13 2022 +0000
+++ b/sys/net/rtsock_shared.c Fri Jul 01 21:22:23 2022 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: rtsock_shared.c,v 1.21 2022/06/29 23:15:08 riastradh Exp $ */
+/* $NetBSD: rtsock_shared.c,v 1.22 2022/07/01 21:22:23 riastradh Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -61,7 +61,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rtsock_shared.c,v 1.21 2022/06/29 23:15:08 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rtsock_shared.c,v 1.22 2022/07/01 21:22:23 riastradh Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -213,7 +213,7 @@
struct rawcb *rp)
{
struct routecb *rop = (struct routecb *)rp;
- struct rt_xmsghdr *rtm;
+ struct rt_xmsghdr rtm;
KASSERT(m != NULL);
KASSERT(proto != NULL);
@@ -229,18 +229,19 @@
/* Ensure we can access rtm_type */
if (m->m_len <
- offsetof(struct rt_xmsghdr, rtm_type) + sizeof(rtm->rtm_type))
+ offsetof(struct rt_xmsghdr, rtm_type) + sizeof(rtm.rtm_type))
return EINVAL;
- rtm = mtod(m, struct rt_xmsghdr *);
- if (rtm->rtm_type >= sizeof(rop->rocb_msgfilter) * CHAR_BIT)
+ m_copydata(m, offsetof(struct rt_xmsghdr, rtm_type),
+ sizeof(rtm.rtm_type), &rtm.rtm_type);
+ if (rtm.rtm_type >= sizeof(rop->rocb_msgfilter) * CHAR_BIT)
return EINVAL;
/* If the rtm type is filtered out, return a positive. */
if (rop->rocb_msgfilter != 0 &&
- !(rop->rocb_msgfilter & RTMSGFILTER(rtm->rtm_type)))
+ !(rop->rocb_msgfilter & RTMSGFILTER(rtm.rtm_type)))
return EEXIST;
- if (rop->rocb_missfilterlen != 0 && rtm->rtm_type == RTM_MISS) {
+ if (rop->rocb_missfilterlen != 0 && rtm.rtm_type == RTM_MISS) {
__CTASSERT(RTAX_DST == 0);
struct sockaddr_storage ss;
struct sockaddr *dst = (struct sockaddr *)&ss, *sa;
@@ -248,16 +249,16 @@
char *ep = cp + rop->rocb_missfilterlen;
/* Ensure we can access sa_len */
- if (m->m_pkthdr.len < sizeof(*rtm) + _SA_MINSIZE)
+ if (m->m_pkthdr.len < sizeof(rtm) + _SA_MINSIZE)
return EINVAL;
- m_copydata(m, sizeof(*rtm) + offsetof(struct sockaddr, sa_len),
+ m_copydata(m, sizeof(rtm) + offsetof(struct sockaddr, sa_len),
sizeof(ss.ss_len), &ss.ss_len);
if (ss.ss_len < _SA_MINSIZE ||
ss.ss_len > sizeof(ss) ||
- m->m_pkthdr.len < sizeof(*rtm) + ss.ss_len)
+ m->m_pkthdr.len < sizeof(rtm) + ss.ss_len)
return EINVAL;
/* Copy out the destination sockaddr */
- m_copydata(m, sizeof(*rtm), ss.ss_len, &ss);
+ m_copydata(m, sizeof(rtm), ss.ss_len, &ss);
/* Find a matching sockaddr in the filter */
while (cp < ep) {
Home |
Main Index |
Thread Index |
Old Index