d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Reject packets larger than IP_MAXPACKET in linux_sendto() for sockets

Browse Source 
with the IP_HDRINCL option set.  Without this change, a Linux process
with access to a raw socket could cause a kernel panic.  Raw sockets
must be created by root, and are generally not consigned to untrusted
applications; hence, the security implications of this bug are
minimal.  I believe this only affects 6-CURRENT on or after 2005-01-30.

Found by:	Coverity Prevent analysis tool
Security:	Local DOS
This commit is contained in:
David Schultz 2005-03-23 08:28:00 +00:00
parent f2c7668eb1
commit aa675b572f
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sys/compat/linux/linux_socket.c
View File

@ -452,8 +452,9 @@ linux_sendto_hdrincl(struct thread *td, struct linux_sendto_args *linux_args)
struct iovec aiov[1];
int error;
/* Check the packet isn't too small before we mess with it */
if (linux_args->len < linux_ip_copysize)
/* Check that the packet isn't too big or too small. */
if (linux_args->len < linux_ip_copysize ||
linux_args->len > IP_MAXPACKET)
return (EINVAL);
packet = (struct ip *)malloc(linux_args->len, M_TEMP, M_WAITOK);