diff options
author | David Schultz <das@FreeBSD.org> | 2005-03-23 08:28:00 +0000 |
---|---|---|
committer | David Schultz <das@FreeBSD.org> | 2005-03-23 08:28:00 +0000 |
commit | aa675b572f72f088d07d8f1021e31769dc2ca6b5 (patch) | |
tree | b3ed4d07a00684ce74c0a697ddaf060e2646caae | |
parent | f2c7668eb1581c4fbd5a7d43af0dd363f8b3206e (diff) | |
download | src-aa675b572f72f088d07d8f1021e31769dc2ca6b5.tar.gz src-aa675b572f72f088d07d8f1021e31769dc2ca6b5.zip |
Reject packets larger than IP_MAXPACKET in linux_sendto() for sockets
with the IP_HDRINCL option set. Without this change, a Linux process
with access to a raw socket could cause a kernel panic. Raw sockets
must be created by root, and are generally not consigned to untrusted
applications; hence, the security implications of this bug are
minimal. I believe this only affects 6-CURRENT on or after 2005-01-30.
Found by: Coverity Prevent analysis tool
Security: Local DOS
Notes
Notes:
svn path=/head/; revision=144012
-rw-r--r-- | sys/compat/linux/linux_socket.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/compat/linux/linux_socket.c b/sys/compat/linux/linux_socket.c index 9ae766200822..950e170bf459 100644 --- a/sys/compat/linux/linux_socket.c +++ b/sys/compat/linux/linux_socket.c @@ -452,8 +452,9 @@ linux_sendto_hdrincl(struct thread *td, struct linux_sendto_args *linux_args) struct iovec aiov[1]; int error; - /* Check the packet isn't too small before we mess with it */ - if (linux_args->len < linux_ip_copysize) + /* Check that the packet isn't too big or too small. */ + if (linux_args->len < linux_ip_copysize || + linux_args->len > IP_MAXPACKET) return (EINVAL); packet = (struct ip *)malloc(linux_args->len, M_TEMP, M_WAITOK); |