d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

MFC 1.96: simplied the fix to FreeBSD-SA-04:06.ipv6. The previous

Browse Source 
one worried too much even though we actually validate the parameters.
This code also is more compatible with other *BSDs, which do copyin
within setsockopt().
This commit is contained in:
ume 2005-11-04 20:35:14 +00:00
parent 318b6c2fd4
commit 02e243b949
1 changed files with 9 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
sys/netinet6/ip6_output.c
View File

@ -1764,6 +1764,7 @@ do { \
{ {
/* new advanced API (RFC3542) */ /* new advanced API (RFC3542) */
u_char *optbuf; u_char *optbuf;
u_char optbuf_storage[MCLBYTES];
int optlen; int optlen;
struct ip6_pktopts **optp; struct ip6_pktopts **optp;
@ -1773,48 +1774,21 @@ do { \
break; break;
} }
switch (optname) { /*
case IPV6_HOPOPTS: * We only ensure valsize is not too large
case IPV6_DSTOPTS: * here. Further validation will be done
case IPV6_RTHDRDSTOPTS: * later.
case IPV6_NEXTHOP: */
if (!privileged) error = sooptcopyin(sopt, optbuf_storage,
error = EPERM; sizeof(optbuf_storage), 0);
break;
}
if (error) if (error)
break; break;
switch (optname) {
case IPV6_PKTINFO:
optlen = sizeof(struct in6_pktinfo);
break;
case IPV6_NEXTHOP:
optlen = SOCK_MAXADDRLEN;
break;
default:
optlen = IPV6_MAXOPTHDR;
break;
}
if (sopt->sopt_valsize > optlen) {
error = EINVAL;
break;
}
optlen = sopt->sopt_valsize; optlen = sopt->sopt_valsize;
optbuf = malloc(optlen, M_TEMP, M_WAITOK); optbuf = optbuf_storage;
error = sooptcopyin(sopt, optbuf, optlen,
optlen);
if (error) {
free(optbuf, M_TEMP);
break;
}
optp = &in6p->in6p_outputopts; optp = &in6p->in6p_outputopts;
error = ip6_pcbopt(optname, error = ip6_pcbopt(optname,
optbuf, optlen, optbuf, optlen,
optp, privileged, uproto); optp, privileged, uproto);
free(optbuf, M_TEMP);
break; break;
} }
#undef OPTSET #undef OPTSET