Re: CVS commit: src/sys/kern

To: source-changes-d%NetBSD.org@localhost
Subject: Re: CVS commit: src/sys/kern
From: Tom Ivar Helbekkmo <tih%hamartun.priv.no@localhost>
Date: Sun, 31 Dec 2017 23:13:19 +0100

Tom Ivar Helbekkmo <tih%hamartun.priv.no@localhost> writes:

> Wouldn't it be better to check that sopt->sopt_size >= len, and return
> an error if not?

...in other words, something like this (the second change is for
sockopt_setmbuf() a few lines down, where I suspect the same risk is
present):

Index: sys/kern/uipc_socket.c
===================================================================
RCS file: /cvsroot/src/sys/kern/uipc_socket.c,v
retrieving revision 1.257
diff -u -u -r1.257 uipc_socket.c
--- sys/kern/uipc_socket.c	25 Oct 2017 08:12:39 -0000	1.257
+++ sys/kern/uipc_socket.c	31 Dec 2017 22:10:19 -0000
@@ -2109,7 +2109,9 @@
 			return error;
 	}
 
-	KASSERT(sopt->sopt_size == len);
+	if (sopt->sopt_size < len)
+		return EINVAL;
+	
 	memcpy(sopt->sopt_data, buf, len);
 	return 0;
 }
@@ -2169,7 +2171,9 @@
 			return error;
 	}
 
-	KASSERT(sopt->sopt_size == len);
+	if (sopt->sopt_size < len)
+		return EINVAL;
+	
 	m_copydata(m, 0, len, sopt->sopt_data);
 	m_freem(m);
 

-tih
-- 
Most people who graduate with CS degrees don't understand the significance
of Lisp.  Lisp is the most important idea in computer science.  --Alan Kay

References:
- Re: CVS commit: src/sys/kern
  - From: Tom Ivar Helbekkmo

Prev by Date: Re: CVS commit: src/sys/kern
Next by Date: Re: CVS commit: src/sys/arch/evbarm/conf
Previous by Thread: Re: CVS commit: src/sys/kern
Next by Thread: Re: CVS commit: src/sys/arch/evbarm/conf
Indexes:

Home | Main Index | Thread Index | Old Index