Re: kern/29199 (msghdr parsing incorrect in kernel for v6 options)

[riastradh%NetBSD.org@localhost]

Synopsis: msghdr parsing incorrect in kernel for v6 options

State-Changed-From-To: open->closed
State-Changed-By: riastradh%NetBSD.org@localhost
State-Changed-When: Wed, 26 Mar 2025 14:39:22 +0000
State-Changed-Why:
I believe these issues have been fixed in revisions 1.97 and 1.137 of
ip6_output.c.

1.97 added a check for the minimum length before dereferencing cm:

        for (; control->m_len; control->m_data += CMSG_ALIGN(cm->cmsg_len),
            control->m_len -= CMSG_ALIGN(cm->cmsg_len)) {
+               int error;
+
+               if (control->m_len < CMSG_LEN(0))
+                       return (EINVAL);
+
                cm = mtod(control, struct cmsghdr *);
                if (cm->cmsg_len == 0 || cm->cmsg_len > control->m_len)
                        return (EINVAL);

1.137 handled the case where the aligned buffer is too short (perhaps
we should reject this case rather than silently accept it, to detect
buggy applications, but it's not really harmful either way):

-       for (; control->m_len; control->m_data += CMSG_ALIGN(cm->cmsg_len),
+       /* XXX if cm->cmsg_len is not aligned, control->m_len can become <0 */
+       for (; control->m_len > 0; control->m_data += CMSG_ALIGN(cm->cmsg_len),
            control->m_len -= CMSG_ALIGN(cm->cmsg_len)) {

The buggy revisions were last shipped in long-EOL releases over a
decade ago, so no need for pullups.