Fri Mar 6 03:35:00 2015 UTC ()
Return EINVAL if namelen isn't large enough to encompass the expected
members of sockaddr structures. i.e. sa_len and sa_family.

Discussed with and patch by christos@


(rtr)
diff -r1.173 -r1.174 src/sys/kern/uipc_syscalls.c
cvs diff -r1.173 -r1.174 src/sys/kern/uipc_syscalls.c (expand / switch to unified diff)

--- src/sys/kern/uipc_syscalls.c 2014/09/05 09:20:59 1.173
+++ src/sys/kern/uipc_syscalls.c 2015/03/06 03:35:00 1.174
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1/* $NetBSD: uipc_syscalls.c,v 1.173 2014/09/05 09:20:59 matt Exp $ */ 1/* $NetBSD: uipc_syscalls.c,v 1.174 2015/03/06 03:35:00 rtr Exp $ */
2 2
3/*- 3/*-
4 * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc. 4 * Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
5 * All rights reserved. 5 * All rights reserved.
6 * 6 *
7 * This code is derived from software contributed to The NetBSD Foundation 7 * This code is derived from software contributed to The NetBSD Foundation
8 * by Andrew Doran. 8 * by Andrew Doran.
9 * 9 *
10 * Redistribution and use in source and binary forms, with or without 10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions 11 * modification, are permitted provided that the following conditions
12 * are met: 12 * are met:
13 * 1. Redistributions of source code must retain the above copyright 13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer. 14 * notice, this list of conditions and the following disclaimer.
@@ -51,27 +51,27 @@ @@ -51,27 +51,27 @@
51 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 51 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 52 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 53 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 54 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 55 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 56 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 57 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
58 * SUCH DAMAGE. 58 * SUCH DAMAGE.
59 * 59 *
60 * @(#)uipc_syscalls.c 8.6 (Berkeley) 2/14/95 60 * @(#)uipc_syscalls.c 8.6 (Berkeley) 2/14/95
61 */ 61 */
62 62
63#include <sys/cdefs.h> 63#include <sys/cdefs.h>
64__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls.c,v 1.173 2014/09/05 09:20:59 matt Exp $"); 64__KERNEL_RCSID(0, "$NetBSD: uipc_syscalls.c,v 1.174 2015/03/06 03:35:00 rtr Exp $");
65 65
66#include "opt_pipe.h" 66#include "opt_pipe.h"
67 67
68#include <sys/param.h> 68#include <sys/param.h>
69#include <sys/systm.h> 69#include <sys/systm.h>
70#include <sys/filedesc.h> 70#include <sys/filedesc.h>
71#include <sys/proc.h> 71#include <sys/proc.h>
72#include <sys/file.h> 72#include <sys/file.h>
73#include <sys/buf.h> 73#include <sys/buf.h>
74#define MBUFTYPES 74#define MBUFTYPES
75#include <sys/mbuf.h> 75#include <sys/mbuf.h>
76#include <sys/protosw.h> 76#include <sys/protosw.h>
77#include <sys/socket.h> 77#include <sys/socket.h>
@@ -1453,26 +1453,32 @@ sockargs(struct mbuf **mp, const void *b @@ -1453,26 +1453,32 @@ sockargs(struct mbuf **mp, const void *b
1453{ 1453{
1454 struct sockaddr *sa; 1454 struct sockaddr *sa;
1455 struct mbuf *m; 1455 struct mbuf *m;
1456 int error; 1456 int error;
1457 1457
1458 /* 1458 /*
1459 * We can't allow socket names > UCHAR_MAX in length, since that 1459 * We can't allow socket names > UCHAR_MAX in length, since that
1460 * will overflow sa_len. Control data more than a page size in 1460 * will overflow sa_len. Control data more than a page size in
1461 * length is just too much. 1461 * length is just too much.
1462 */ 1462 */
1463 if (buflen > (type == MT_SONAME ? UCHAR_MAX : PAGE_SIZE)) 1463 if (buflen > (type == MT_SONAME ? UCHAR_MAX : PAGE_SIZE))
1464 return EINVAL; 1464 return EINVAL;
1465 1465
 1466 /*
 1467 * length must greater than sizeof(sa_family) + sizeof(sa_len)
 1468 */
 1469 if (type == MT_SONAME && buflen <= 2)
 1470 return EINVAL;
 1471
1466 /* Allocate an mbuf to hold the arguments. */ 1472 /* Allocate an mbuf to hold the arguments. */
1467 m = m_get(M_WAIT, type); 1473 m = m_get(M_WAIT, type);
1468 /* can't claim. don't who to assign it to. */ 1474 /* can't claim. don't who to assign it to. */
1469 if (buflen > MLEN) { 1475 if (buflen > MLEN) {
1470 /* 1476 /*
1471 * Won't fit into a regular mbuf, so we allocate just 1477 * Won't fit into a regular mbuf, so we allocate just
1472 * enough external storage to hold the argument. 1478 * enough external storage to hold the argument.
1473 */ 1479 */
1474 MEXTMALLOC(m, buflen, M_WAITOK); 1480 MEXTMALLOC(m, buflen, M_WAITOK);
1475 } 1481 }
1476 m->m_len = buflen; 1482 m->m_len = buflen;
1477 error = copyin(bf, mtod(m, void *), buflen); 1483 error = copyin(bf, mtod(m, void *), buflen);
1478 if (error) { 1484 if (error) {