The branch main has been updated by markj:
URL:
https://cgit.FreeBSD.org/src/commit/?id=7f7b4926a779845116913c85ecbb10527daeab02
commit 7f7b4926a779845116913c85ecbb10527daeab02
Author: Mark Johnston <ma...@freebsd.org>
AuthorDate: 2024-04-22 15:48:00 +0000
Commit: Mark Johnston <ma...@freebsd.org>
CommitDate: 2024-04-22 15:48:00 +0000
ng_hci: Add sockaddr validation to sendto()
ng_btsocket_hci_raw_send() wasn't verifying that the destination address
specified by sendto() is large enough to fill a struct sockaddr_hci.
Thus, when copying the socket address into an mbuf,
ng_btsocket_hci_raw_send() may read past the end of the input sockaddr
while copying.
In practice this is effectively harmless since
ng_btsocket_hci_raw_output() only uses the address to identify a
netgraph node.
Reported by: Oliver Sieber <oli...@secfault-security.com>
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
---
sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c
b/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c
index 5d015b2eac6e..b8caf0c515fd 100644
--- a/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c
+++ b/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c
@@ -1598,6 +1598,17 @@ ng_btsocket_hci_raw_send(struct socket *so, int flags,
struct mbuf *m,
goto drop;
}
+ if (sa != NULL) {
+ if (sa->sa_family != AF_BLUETOOTH) {
+ error = EAFNOSUPPORT;
+ goto drop;
+ }
+ if (sa->sa_len != sizeof(struct sockaddr_hci)) {
+ error = EINVAL;
+ goto drop;
+ }
+ }
+
mtx_lock(&pcb->pcb_mtx);
error = ng_btsocket_hci_raw_filter(pcb, m, 0);
