Author: markj
Date: Tue Oct  8 23:34:48 2019
New Revision: 353331
URL: https://svnweb.freebsd.org/changeset/base/353331

Log:
  Fix handling of empty SCM_RIGHTS messages.
  
  As unp_internalize() processes the input control messages, it builds
  an output mbuf chain containing the internalized representations of
  those messages.  In one special case, that of an empty SCM_RIGHTS
  message, the message is simply discarded.  However, the loop which
  appends mbufs to the output chain assumed that each iteration would
  produce an mbuf, resulting in a null pointer dereference if an empty
  SCM_RIGHTS message was followed by a non-empty message.
  
  Fix this by advancing the output mbuf chain tail pointer only if an
  internalized control message was produced.
  
  Reported by:  syzbot+1b5cced0f7fad26ae...@syzkaller.appspotmail.com
  MFC after:    1 week
  Sponsored by: The FreeBSD Foundation

Modified:
  head/sys/kern/uipc_usrreq.c

Modified: head/sys/kern/uipc_usrreq.c
==============================================================================
--- head/sys/kern/uipc_usrreq.c Tue Oct  8 21:40:42 2019        (r353330)
+++ head/sys/kern/uipc_usrreq.c Tue Oct  8 23:34:48 2019        (r353331)
@@ -2318,7 +2318,8 @@ unp_internalize(struct mbuf **controlp, struct thread 
                        goto out;
                }
 
-               controlp = &(*controlp)->m_next;
+               if (*controlp != NULL)
+                       controlp = &(*controlp)->m_next;
                if (CMSG_SPACE(datalen) < clen) {
                        clen -= CMSG_SPACE(datalen);
                        cm = (struct cmsghdr *)
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to