Check against the size of the struct, not the pointer. Previously, a message with a cm_len between 9 and 23 (inclusive) could cause int msglen to underflow and read(2) to be invoked with msglen size (implicitly cast to signed), overrunning the caller-provided buffer. All users of cm_recv() supply a stack buffer. On the other hand, the rtadvd control socket appears to only be writable by the owner, who is probably root. While here, correct some types to be size_t or ssize_t. Reported by: Coverity CID: 1008477 Security: unix socket remotes may overflow stack in rtadvd Sponsored by: EMC / Isilon Storage Division |
||
---|---|---|
.. | ||
advcap.c | ||
advcap.h | ||
config.c | ||
config.h | ||
control_client.c | ||
control_client.h | ||
control_server.c | ||
control_server.h | ||
control.c | ||
control.h | ||
if.c | ||
if.h | ||
Makefile | ||
Makefile.depend | ||
pathnames.h | ||
rrenum.c | ||
rrenum.h | ||
rtadvd.8 | ||
rtadvd.c | ||
rtadvd.conf | ||
rtadvd.conf.5 | ||
rtadvd.h | ||
timer_subr.c | ||
timer_subr.h | ||
timer.c | ||
timer.h |