svn commit: r301804 - stable/9/usr.sbin/rtadvd

Fri, 10 Jun 2016 11:05:38 -0700 

Author: ngie
Date: Fri Jun 10 18:04:54 2016
New Revision: 301804
URL: https://svnweb.freebsd.org/changeset/base/301804

Log:
  MFstable/10 r301803:
  
  MFC r299507:
  r299507 (by cem):
  
  rtadvd(8): Fix a typo in full msg receive logic
  
  Check against the size of the struct, not the pointer.  Previously, a message
  with a cm_len between 9 and 23 (inclusive) could cause int msglen to underflow
  and read(2) to be invoked with msglen size (implicitly cast to signed),
  overrunning the caller-provided buffer.
  
  All users of cm_recv() supply a stack buffer.
  
  On the other hand, the rtadvd control socket appears to only be writable by 
the
  owner, who is probably root.
  
  While here, correct some types to be size_t or ssize_t.
  
  CID:          1008477
  Security:     unix socket remotes may overflow stack in rtadvd

Modified:
  stable/9/usr.sbin/rtadvd/control.c
Directory Properties:
  stable/9/   (props changed)
  stable/9/usr.sbin/   (props changed)
  stable/9/usr.sbin/rtadvd/   (props changed)

Modified: stable/9/usr.sbin/rtadvd/control.c
==============================================================================
--- stable/9/usr.sbin/rtadvd/control.c  Fri Jun 10 18:02:51 2016        
(r301803)
+++ stable/9/usr.sbin/rtadvd/control.c  Fri Jun 10 18:04:54 2016        
(r301804)
@@ -59,7 +59,7 @@
 int
 cm_recv(int fd, char *buf)
 {
-       int n;
+       ssize_t n;
        struct ctrl_msg_hdr     *cm;
        char *msg;
        struct pollfd pfds[1];
@@ -98,7 +98,7 @@ cm_recv(int fd, char *buf)
                }
        }
 
-       if (n != sizeof(*cm)) {
+       if (n != (ssize_t)sizeof(*cm)) {
                syslog(LOG_WARNING,
                    "<%s> received a too small message.", __func__);
                goto cm_recv_err;
@@ -123,11 +123,11 @@ cm_recv(int fd, char *buf)
            "<%s> ctrl msg received: type=%d", __func__,
            cm->cm_type);
 
-       if (cm->cm_len > sizeof(cm)) {
-               int msglen = cm->cm_len - sizeof(*cm);
+       if (cm->cm_len > sizeof(*cm)) {
+               size_t msglen = cm->cm_len - sizeof(*cm);
 
                syslog(LOG_DEBUG,
-                   "<%s> ctrl msg has payload (len=%d)", __func__,
+                   "<%s> ctrl msg has payload (len=%zu)", __func__,
                    msglen);
 
                for (;;) {
@@ -153,7 +153,7 @@ cm_recv(int fd, char *buf)
                        }
                        break;
                }
-               if (n != msglen) {
+               if (n != (ssize_t)msglen) {
                        syslog(LOG_WARNING,
                            "<%s> payload size mismatch.", __func__);
                        goto cm_recv_err;
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to