Module Name: src
Committed By: maxv
Date: Mon Oct 14 16:43:04 UTC 2019
Modified Files:
src/sys/net: rtsock_shared.c
Log Message:
Error out if the type is beyond the storage size. No functional change,
since the shift would otherwise 'and' against zero, returning EEXIST.
Reported-by: syzbot+cb68ccdc1ef3aca2d...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/sys/net/rtsock_shared.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/rtsock_shared.c
diff -u src/sys/net/rtsock_shared.c:1.10 src/sys/net/rtsock_shared.c:1.11
--- src/sys/net/rtsock_shared.c:1.10 Mon Aug 19 03:23:30 2019
+++ src/sys/net/rtsock_shared.c Mon Oct 14 16:43:04 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: rtsock_shared.c,v 1.10 2019/08/19 03:23:30 ozaki-r Exp $ */
+/* $NetBSD: rtsock_shared.c,v 1.11 2019/10/14 16:43:04 maxv Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -61,7 +61,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rtsock_shared.c,v 1.10 2019/08/19 03:23:30 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rtsock_shared.c,v 1.11 2019/10/14 16:43:04 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -227,6 +227,8 @@ COMPATNAME(route_filter)(struct mbuf *m,
return EINVAL;
rtm = mtod(m, struct rt_xmsghdr *);
+ if (rtm->rtm_type >= sizeof(rop->rocb_msgfilter) * CHAR_BIT)
+ return EINVAL;
/* If the rtm type is filtered out, return a positive. */
if (!(rop->rocb_msgfilter & RTMSGFILTER(rtm->rtm_type)))
return EEXIST;
