Subject: kern/11115: CMSG_NXTHDR() can be a source of infinite loop
To: None <gnats-bugs@gnats.netbsd.org>
From: None <itojun@itojun.org>
List: netbsd-bugs
Date: 10/02/2000 03:56:30
>Number: 11115
>Category: kern
>Synopsis: CMSG_NXTHDR() can be a source of infinite loop
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Oct 02 04:02:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Jun-ichiro itojun Hagino
>Release: 1.5F and 1.4.2
>Organization:
itojun.org
>Environment:
System: NetBSD starfruit.itojun.org 1.5G NetBSD 1.5G (STARFRUIT) #175: Sun Oct 1 22:11:40 JST 2000 itojun@starfruit.itojun.org:/usr/home/itojun/NetBSD/src/sys/arch/i386/compile/STARFRUIT i386
>Description:
the declaration of CMSG_NXTHDR() basically follows whatever declared
in RFC2292/2292bis. if cmsg_len is 0, CMSG_NXTHDR() returns the
original value as is.
the following loop can go into infinite loop:
while (cmsg = CMSG_NXTHDR(&msg, cmsg)) != NULL) {
/* foo */
}
the following should be okay:
while (cmsg->cmsg_len > sizeof(struct cmsghdr) &&
cmsg = CMSG_NXTHDR(&msg, cmsg)) != NULL) {
/* foo */
}
it would be better if we have more validation in CMSG_NXTHDR() itself,
to avoid misuse.
i've looked into sys/kern and found no such loop so far.
(from: jinmei@kame.net
>How-To-Repeat:
code inspection.
>Fix:
- if cmsg_len < sizeof(struct cmsghdr), it looks always bogus.
CMSG_NXTHDR should return NULL in this case?
- relationship with standards.
>Release-Note:
>Audit-Trail:
>Unformatted: