Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netinet6 validate set/getsockopt arg more strictly. wit...
details: https://anonhg.NetBSD.org/src/rev/cf0694c97757
branches: trunk
changeset: 556233:cf0694c97757
user: itojun <itojun%NetBSD.org@localhost>
date: Wed Dec 10 09:28:38 2003 +0000
description:
validate set/getsockopt arg more strictly. with previous code privileged
user can cause kernel crash.
diffstat:
sys/netinet6/ip6_mroute.c | 67 +++++++++++++++++++++++++++++-----------------
1 files changed, 42 insertions(+), 25 deletions(-)
diffs (116 lines):
diff -r fe81d1f21366 -r cf0694c97757 sys/netinet6/ip6_mroute.c
--- a/sys/netinet6/ip6_mroute.c Wed Dec 10 09:25:36 2003 +0000
+++ b/sys/netinet6/ip6_mroute.c Wed Dec 10 09:28:38 2003 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_mroute.c,v 1.58 2003/10/30 01:43:09 simonb Exp $ */
+/* $NetBSD: ip6_mroute.c,v 1.59 2003/12/10 09:28:38 itojun Exp $ */
/* $KAME: ip6_mroute.c,v 1.49 2001/07/25 09:21:18 jinmei Exp $ */
/*
@@ -117,7 +117,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.58 2003/10/30 01:43:09 simonb Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_mroute.c,v 1.59 2003/12/10 09:28:38 itojun Exp $");
#include "opt_inet.h"
#include "opt_mrouting.h"
@@ -284,7 +284,7 @@
static int get_sg_cnt __P((struct sioc_sg_req6 *));
static int get_mif6_cnt __P((struct sioc_mif_req6 *));
-static int ip6_mrouter_init __P((struct socket *, struct mbuf *, int));
+static int ip6_mrouter_init __P((struct socket *, int, int));
static int add_m6if __P((struct mif6ctl *));
static int del_m6if __P((mifi_t *));
static int add_m6fc __P((struct mf6cctl *));
@@ -302,18 +302,40 @@
struct mbuf *m;
{
if (cmd != MRT6_INIT && so != ip6_mrouter)
- return EACCES;
+ return (EACCES);
switch (cmd) {
- case MRT6_OINIT: return ip6_mrouter_init(so, m, cmd);
- case MRT6_INIT: return ip6_mrouter_init(so, m, cmd);
- case MRT6_DONE: return ip6_mrouter_done();
- case MRT6_ADD_MIF: return add_m6if(mtod(m, struct mif6ctl *));
- case MRT6_DEL_MIF: return del_m6if(mtod(m, mifi_t *));
- case MRT6_ADD_MFC: return add_m6fc(mtod(m, struct mf6cctl *));
- case MRT6_DEL_MFC: return del_m6fc(mtod(m, struct mf6cctl *));
- case MRT6_PIM: return set_pim6(mtod(m, int *));
- default: return EOPNOTSUPP;
+#ifdef MRT6_OINIT
+ case MRT6_OINIT:
+#endif
+ case MRT6_INIT:
+ if (m == NULL || m->m_len < sizeof(int))
+ return (EINVAL);
+ return (ip6_mrouter_init(so, *mtod(m, int *), cmd));
+ case MRT6_DONE:
+ return (ip6_mrouter_done());
+ case MRT6_ADD_MIF:
+ if (m == NULL || m->m_len < sizeof(struct mif6ctl))
+ return (EINVAL);
+ return (add_m6if(mtod(m, struct mif6ctl *)));
+ case MRT6_DEL_MIF:
+ if (m == NULL || m->m_len < sizeof(mifi_t))
+ return (EINVAL);
+ return (del_m6if(mtod(m, mifi_t *)));
+ case MRT6_ADD_MFC:
+ if (m == NULL || m->m_len < sizeof(struct mf6cctl))
+ return (EINVAL);
+ return (add_m6fc(mtod(m, struct mf6cctl *)));
+ case MRT6_DEL_MFC:
+ if (m == NULL || m->m_len < sizeof(struct mf6cctl))
+ return (EINVAL);
+ return (del_m6fc(mtod(m, struct mf6cctl *)));
+ case MRT6_PIM:
+ if (m == NULL || m->m_len < sizeof(int))
+ return (EINVAL);
+ return (set_pim6(mtod(m, int *)));
+ default:
+ return (EOPNOTSUPP);
}
}
@@ -438,13 +460,11 @@
* Enable multicast routing
*/
static int
-ip6_mrouter_init(so, m, cmd)
+ip6_mrouter_init(so, v, cmd)
struct socket *so;
- struct mbuf *m;
+ int v;
int cmd;
{
- int *v;
-
#ifdef MRT6DEBUG
if (mrt6debug)
log(LOG_DEBUG,
@@ -454,16 +474,13 @@
if (so->so_type != SOCK_RAW ||
so->so_proto->pr_protocol != IPPROTO_ICMPV6)
- return EOPNOTSUPP;
-
- if (!m || (m->m_len != sizeof(int *)))
- return ENOPROTOOPT;
+ return (EOPNOTSUPP);
- v = mtod(m, int *);
- if (*v != 1)
- return ENOPROTOOPT;
+ if (v != 1)
+ return (ENOPROTOOPT);
- if (ip6_mrouter != NULL) return EADDRINUSE;
+ if (ip6_mrouter != NULL)
+ return (EADDRINUSE);
ip6_mrouter = so;
ip6_mrouter_ver = cmd;
Home |
Main Index |
Thread Index |
Old Index