summaryrefslogtreecommitdiffstats
path: root/sys/netbt/l2cap_socket.c
diff options
context:
space:
mode:
authorguenther <guenther@openbsd.org>2009-11-21 13:05:32 +0000
committerguenther <guenther@openbsd.org>2009-11-21 13:05:32 +0000
commit2c2ec14bdfd63302b9884d8efce7ebafb1711c97 (patch)
tree560e89f9fc7a818e89d7acfef7bbe1a3bc6338ff /sys/netbt/l2cap_socket.c
parentremove unused variable (diff)
downloadwireguard-openbsd-2c2ec14bdfd63302b9884d8efce7ebafb1711c97.tar.xz
wireguard-openbsd-2c2ec14bdfd63302b9884d8efce7ebafb1711c97.zip
User triggerable KASSERT()s and NULL dereferences in netbt setsockopt()s,
found by Clement LECIGNE, localhost DoS everywhere. Also, don't leak the mbuf when the wrong level is used. ok claudio@, "just commit" deraadt@
Diffstat (limited to 'sys/netbt/l2cap_socket.c')
-rw-r--r--sys/netbt/l2cap_socket.c14
1 files changed, 7 insertions, 7 deletions
diff --git a/sys/netbt/l2cap_socket.c b/sys/netbt/l2cap_socket.c
index b67838481a6..11f3f818398 100644
--- a/sys/netbt/l2cap_socket.c
+++ b/sys/netbt/l2cap_socket.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: l2cap_socket.c,v 1.3 2008/11/22 04:42:58 uwe Exp $ */
+/* $OpenBSD: l2cap_socket.c,v 1.4 2009/11/21 13:05:32 guenther Exp $ */
/* $NetBSD: l2cap_socket.c,v 1.9 2008/08/06 15:01:24 plunky Exp $ */
/*-
@@ -278,10 +278,11 @@ l2cap_ctloutput(int req, struct socket *so, int level,
if (pcb == NULL)
return EINVAL;
- if (level != BTPROTO_L2CAP)
- return ENOPROTOOPT;
-
- switch(req) {
+ if (level != BTPROTO_L2CAP) {
+ err = EINVAL;
+ if (req == PRCO_SETOPT && *opt)
+ m_free(*opt);
+ } else switch(req) {
case PRCO_GETOPT:
m = m_get(M_WAIT, MT_SOOPTS);
m->m_len = l2cap_getopt(pcb, optname, mtod(m, void *));
@@ -295,8 +296,7 @@ l2cap_ctloutput(int req, struct socket *so, int level,
case PRCO_SETOPT:
m = *opt;
- KASSERT(m != NULL);
- err = l2cap_setopt(pcb, optname, mtod(m, void *));
+ err = l2cap_setopt(pcb, optname, m);
m_freem(m);
break;
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.