Check if rtm_hdrlen is smaller then the passed message or it would be possible

to access uninitialised memory.
Set dst to 0 on error, the error path tries to access dst but dst is inited
later down the code. This fixes a kernel panic seen by aanriot@
OK henning@

1 files changed, 8 insertions, 1 deletions

diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index 9ccb8befa4a..661192c0f9e 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rtsock.c,v 1.64 2007/09/03 15:24:49 claudio Exp $	*/
+/*	$OpenBSD: rtsock.c,v 1.65 2007/09/07 11:15:19 claudio Exp $	*/
 /*	$NetBSD: rtsock.c,v 1.18 1996/03/29 00:32:10 cgd Exp $	*/
 
 /*
@@ -234,15 +234,22 @@ route_output(struct mbuf *m, ...)
 	rtm->rtm_pid = curproc->p_pid;
 	if (rtm->rtm_hdrlen == 0)	/* old client */
 		rtm->rtm_hdrlen = sizeof(struct rt_msghdr);
+	if (len < rtm->rtm_hdrlen) {
+		dst = 0;
+		error = EINVAL;
+		goto flush;
+	}
 
 	tableid = rtm->rtm_tableid;
 	if (!rtable_exists(tableid)) {
 		if (rtm->rtm_type == RTM_ADD) {
 			if (rtable_add(tableid)) {
+				dst = 0;
 				error = EINVAL;
 				goto flush;
 			}
 		} else {
+			dst = 0;
 			error = EINVAL;
 			goto flush;
 		}