diff options
| author |   bluhm <bluhm@openbsd.org> | 2021-01-09 15:30:38 +0000 |
|---|---|---|
| committer | bluhm <bluhm@openbsd.org> | 2021-01-09 15:30:38 +0000 |
| commit | a47f48c5303edcdbff8f74b67093a0288a158202 (patch) | |
| tree | bedf299d585a1faa540a49522f19f39f2907df1c | |
| parent | Syzkaller has found a stack overflow in socket splicing. Broadcast (diff) | |
| download | wireguard-openbsd-a47f48c5303edcdbff8f74b67093a0288a158202.tar.xz wireguard-openbsd-a47f48c5303edcdbff8f74b67093a0288a158202.zip | |
If the loop check in somove(9) goes to release without setting an
error, a broadcast mbuf will stay in the socket buffer forever.
This is bad as multiple mbufs can use up all the space. Better
report ELOOP, dissolve splicing, and let userland handle it.
OK anton@
| -rw-r--r-- | sys/kern/uipc_socket.c | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index edc2b1495a0..bf9ecaff692 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -1,4 +1,4 @@ -/* $OpenBSD: uipc_socket.c,v 1.252 2020/12/25 12:59:52 visa Exp $ */ +/* $OpenBSD: uipc_socket.c,v 1.253 2021/01/09 15:30:38 bluhm Exp $ */ /* $NetBSD: uipc_socket.c,v 1.21 1996/02/04 02:17:52 christos Exp $ */ /* @@ -1451,8 +1451,7 @@ somove(struct socket *so, int wait) if ((m->m_flags & M_PKTHDR) && ((m->m_pkthdr.ph_loopcnt++ >= M_MAXLOOP) || ((m->m_flags & M_LOOP) && (m->m_flags & (M_BCAST|M_MCAST))))) { - if (m->m_pkthdr.ph_loopcnt >= M_MAXLOOP) - error = ELOOP; + error = ELOOP; goto release; } |