netinet6

Martin Husemann Tue, 06 Nov 2018 06:44:47 -0800

Module Name:    src
Committed By:   martin
Date:           Tue Nov  6 14:44:23 UTC 2018


Modified Files:
        src/sys/netinet6 [netbsd-8]: udp6_output.c

Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #1081):

        sys/netinet6/udp6_usrreq.c: revision 1.143
        (applied to udp6_output.c, due to refactoring in -current)

Restore the length check of a sockaddr passed from userland at udp6_output

A sockaddr with invalid length could be passed to the network stack resulting in
a kernel panic like this:

        panic: sockaddr_copy: source too long, 28 < 128 bytes
        fatal breakpoint trap in supervisor mode
        trap type 1 code 0 rip 0xffffffff80216c35 cs 0x8 rflags 0x246
cr2 0x7f7ff7ef3000 ilevel 0x4 rsp 0xffff80003308b690
        curlwp 0xfffffe803e11ca40 pid 48.1 lowest kstack 0xffff8000330852c0
        Stopped in pid 48.1 (a.out) at  netbsd:breakpoint+0x5:  leave
        db{1}> bt
        breakpoint() at netbsd:breakpoint+0x5
        vpanic() at netbsd:vpanic+0x140
        panic() at netbsd:panic+0x3c
        sockaddr_copy() at netbsd:sockaddr_copy+0x95
        rtcache_setdst() at netbsd:rtcache_setdst+0x73
        rtcache_lookup2() at netbsd:rtcache_lookup2+0x56
        in6_selectroute() at netbsd:in6_selectroute+0x184
        in6_selectsrc() at netbsd:in6_selectsrc+0x119
        udp6_output() at netbsd:udp6_output+0x25e
        udp6_send_wrapper() at netbsd:udp6_send_wrapper+0x8a
        sosend() at netbsd:sosend+0x7bf
        do_sys_sendmsg_so() at netbsd:do_sys_sendmsg_so+0x28e
        do_sys_sendmsg() at netbsd:do_sys_sendmsg+0x89
        sys_sendto() at netbsd:sys_sendto+0x5c
        syscall() at netbsd:syscall+0x1ed
        --- syscall (number 133) ---
        7f7ff790173a:

Reported by Paul Ripke


To generate a diff of this commit:
cvs rdiff -u -r1.55.6.1 -r1.55.6.2 src/sys/netinet6/udp6_output.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/udp6_output.c
diff -u src/sys/netinet6/udp6_output.c:1.55.6.1 src/sys/netinet6/udp6_output.c:1.55.6.2
--- src/sys/netinet6/udp6_output.c:1.55.6.1	Sun Nov  4 11:14:09 2018
+++ src/sys/netinet6/udp6_output.c	Tue Nov  6 14:44:22 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: udp6_output.c,v 1.55.6.1 2018/11/04 11:14:09 martin Exp $	*/
+/*	$NetBSD: udp6_output.c,v 1.55.6.2 2018/11/06 14:44:22 martin Exp $	*/
 /*	$KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.55.6.1 2018/11/04 11:14:09 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp6_output.c,v 1.55.6.2 2018/11/06 14:44:22 martin Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -139,6 +139,10 @@ udp6_output(struct in6pcb * const in6p, 
 
 	if (addr6) {
 		sin6 = addr6;
+		if (sin6->sin6_len != sizeof(*sin6)) {
+			error = EINVAL;
+			goto release;
+		}
 		if (sin6->sin6_family != AF_INET6) {
 			error = EAFNOSUPPORT;
 			goto release;

CVS commit: [netbsd-8] src/sys/netinet6

Reply via email to