Fri Aug 31 15:15:23 2018 UTC ()

Fix buffer overflow, detected by kASan.

	ifconfig gif0 create
	ifconfig gif0 up

[   50.682919] kASan: Unauthorized Access In 0xffffffff80f22655: Addr 0xffffffff81b997a0 [8 bytes, read]
[   50.682919] #0 0xffffffff8021ce6a in kasan_memcpy <netbsd>
[   50.692999] #1 0xffffffff80f22655 in m_copyback_internal <netbsd>
[   50.692999] #2 0xffffffff80f22e81 in m_copyback <netbsd>
[   50.692999] #3 0xffffffff8103109a in rt_msg1 <netbsd>
[   50.692999] #4 0xffffffff8159109a in compat_70_rt_newaddrmsg1 <netbsd>
[   50.692999] #5 0xffffffff81031b0f in rt_newaddrmsg <netbsd>
[   50.692999] #6 0xffffffff8102c35e in rt_ifa_addlocal <netbsd>
[   50.692999] #7 0xffffffff80a5287c in in6_update_ifa1 <netbsd>
[   50.692999] #8 0xffffffff80a54149 in in6_update_ifa <netbsd>
[   50.692999] #9 0xffffffff80a59176 in in6_ifattach <netbsd>
[   50.692999] #10 0xffffffff80a56dd4 in in6_if_up <netbsd>
[   50.692999] #11 0xffffffff80fc5cb8 in if_up_locked <netbsd>
[   50.703622] #12 0xffffffff80fcc4c1 in ifioctl_common <netbsd>
[   50.703622] #13 0xffffffff80fde694 in gif_ioctl <netbsd>
[   50.703622] #14 0xffffffff80fcdb1f in doifioctl <netbsd>


(maxv)

diff -r1.241 -r1.242 src/sys/net/rtsock.c

--- src/sys/net/rtsock.c 2018/04/25 03:49:57	1.241
+++ src/sys/net/rtsock.c 2018/08/31 15:15:23	1.242

 @@ -1,14 +1,14 @@
-/*	$NetBSD: rtsock.c,v 1.241 2018/04/25 03:49:57 ozaki-r Exp $	*/
+/*	$NetBSD: rtsock.c,v 1.242 2018/08/31 15:15:23 maxv Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -51,27 +51,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)rtsock.c	8.7 (Berkeley) 10/12/95
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rtsock.c,v 1.241 2018/04/25 03:49:57 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rtsock.c,v 1.242 2018/08/31 15:15:23 maxv Exp $");
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
 #include "opt_mpls.h"
 #include "opt_compat_netbsd.h"
 #include "opt_sctp.h"
 #include "opt_net_mpsafe.h"
 #endif
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
 #include <sys/socket.h>
 @@ -1211,31 +1211,31 @@ COMPATNAME(rt_msg1)(int type, struct rt_
 	m_reset_rcvif(m);
 	m_copyback(m, 0, datalen, data);
 	if (len > datalen)
 		(void)memset(mtod(m, char *) + datalen, 0, len - datalen);
 	rtm = mtod(m, struct rt_xmsghdr *);
 	for (i = 0; i < RTAX_MAX; i++) {
 		if ((sa = rtinfo->rti_info[i]) == NULL)
 			continue;
 		rtinfo->rti_addrs |= (1 << i);
 		dlen = RT_XROUNDUP(sa->sa_len);
 		m_copyback(m, len, sa->sa_len, sa);
 		if (dlen != sa->sa_len) {
 			/*
-			 * Up to 6 + 1 nul's since roundup is to
+			 * Up to 7 + 1 nul's since roundup is to
 			 * sizeof(uint64_t) (8 bytes)
 			 */
 			m_copyback(m, len + sa->sa_len,
-			    dlen - sa->sa_len, "\0\0\0\0\0\0");
+			    dlen - sa->sa_len, "\0\0\0\0\0\0\0");
+		}
 		len += dlen;
+	}
 	if (m->m_pkthdr.len != len)
 		goto out;
 	rtm->rtm_msglen = len;
 	rtm->rtm_version = RTM_XVERSION;
 	rtm->rtm_type = type;
 	return m;
 out:
 	m_freem(m);
 	return NULL;
+}