svn commit: r299507 - head/usr.sbin/rtadvd

Wed, 11 May 2016 20:38:21 -0700 

Author: cem
Date: Thu May 12 03:37:17 2016
New Revision: 299507
URL: https://svnweb.freebsd.org/changeset/base/299507

Log:
  rtadvd(8): Fix a typo in full msg receive logic
  
  Check against the size of the struct, not the pointer.  Previously, a message
  with a cm_len between 9 and 23 (inclusive) could cause int msglen to underflow
  and read(2) to be invoked with msglen size (implicitly cast to signed),
  overrunning the caller-provided buffer.
  
  All users of cm_recv() supply a stack buffer.
  
  On the other hand, the rtadvd control socket appears to only be writable by 
the
  owner, who is probably root.
  
  While here, correct some types to be size_t or ssize_t.
  
  Reported by:  Coverity
  CID:          1008477
  Security:     unix socket remotes may overflow stack in rtadvd
  Sponsored by: EMC / Isilon Storage Division

Modified:
  head/usr.sbin/rtadvd/control.c

Modified: head/usr.sbin/rtadvd/control.c
==============================================================================
--- head/usr.sbin/rtadvd/control.c      Thu May 12 03:36:49 2016        
(r299506)
+++ head/usr.sbin/rtadvd/control.c      Thu May 12 03:37:17 2016        
(r299507)
@@ -59,7 +59,7 @@
 int
 cm_recv(int fd, char *buf)
 {
-       int n;
+       ssize_t n;
        struct ctrl_msg_hdr     *cm;
        char *msg;
        struct pollfd pfds[1];
@@ -98,7 +98,7 @@ cm_recv(int fd, char *buf)
                }
        }
 
-       if (n != sizeof(*cm)) {
+       if (n != (ssize_t)sizeof(*cm)) {
                syslog(LOG_WARNING,
                    "<%s> received a too small message.", __func__);
                goto cm_recv_err;
@@ -123,11 +123,11 @@ cm_recv(int fd, char *buf)
            "<%s> ctrl msg received: type=%d", __func__,
            cm->cm_type);
 
-       if (cm->cm_len > sizeof(cm)) {
-               int msglen = cm->cm_len - sizeof(*cm);
+       if (cm->cm_len > sizeof(*cm)) {
+               size_t msglen = cm->cm_len - sizeof(*cm);
 
                syslog(LOG_DEBUG,
-                   "<%s> ctrl msg has payload (len=%d)", __func__,
+                   "<%s> ctrl msg has payload (len=%zu)", __func__,
                    msglen);
 
                for (;;) {
@@ -153,7 +153,7 @@ cm_recv(int fd, char *buf)
                        }
                        break;
                }
-               if (n != msglen) {
+               if (n != (ssize_t)msglen) {
                        syslog(LOG_WARNING,
                            "<%s> payload size mismatch.", __func__);
                        goto cm_recv_err;
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to