diff options
| author |   claudio <claudio@openbsd.org> | 2018-11-21 17:07:07 +0000 |
|---|---|---|
| committer | claudio <claudio@openbsd.org> | 2018-11-21 17:07:07 +0000 |
| commit | 97aa0691961a19e13ba6462bce70d502bfe82ff8 (patch) | |
| tree | 043c6f115cdd4c7ba5de2c40b0040d5c207f31a5 | |
| parent | When using MSG_PEEK to peak into packets skip control messages holding (diff) | |
| download | wireguard-openbsd-97aa0691961a19e13ba6462bce70d502bfe82ff8.tar.xz wireguard-openbsd-97aa0691961a19e13ba6462bce70d502bfe82ff8.zip | |
In unp_internalize() check the length more carefully preventing an
underflow in a later calcuation. Using the same CMSG_LEN(0) check
that other cmsghdr handlers implemented.
Probelm found by anton@
OK anton@, deraadt@, visa@
| -rw-r--r-- | sys/kern/uipc_usrreq.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c index bd819c07086..e8ba18b1632 100644 --- a/sys/kern/uipc_usrreq.c +++ b/sys/kern/uipc_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uipc_usrreq.c,v 1.136 2018/11/21 16:50:49 claudio Exp $ */ +/* $OpenBSD: uipc_usrreq.c,v 1.137 2018/11/21 17:07:07 claudio Exp $ */ /* $NetBSD: uipc_usrreq.c,v 1.18 1996/02/09 19:00:50 christos Exp $ */ /* @@ -807,6 +807,8 @@ unp_internalize(struct mbuf *control, struct proc *p) * Check for two potential msg_controllen values because * IETF stuck their nose in a place it does not belong. */ + if (control->m_len < CMSG_LEN(0) || cm->cmsg_len < CMSG_LEN(0)) + return (EINVAL); if (cm->cmsg_type != SCM_RIGHTS || cm->cmsg_level != SOL_SOCKET || !(cm->cmsg_len == control->m_len || control->m_len == CMSG_ALIGN(cm->cmsg_len))) |