Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-2]: src/sys/netiso Pull up following revision(s) (requested by ad...
details: https://anonhg.NetBSD.org/src/rev/910418c0b81d
branches: netbsd-2
changeset: 564582:910418c0b81d
user: ghen <ghen%NetBSD.org@localhost>
date: Thu Mar 29 08:57:07 2007 +0000
description:
Pull up following revision(s) (requested by adrianp in ticket #11256):
sys/netiso/clnp_subr.c: revision 1.27 via patch
A number of functions do not validate the length of arguments passed.
As a result of this a user could supply a bad 'sockaddr' structure to
clnp_route() via connect(2).
Issue found by Christer Oberg and patch from christos@ (NetBSD-SA2007-004)
diffstat:
sys/netiso/clnp_subr.c | 58 ++++++++++++++++++++++++++++++-------------------
1 files changed, 35 insertions(+), 23 deletions(-)
diffs (140 lines):
diff -r 4a3c05153895 -r 910418c0b81d sys/netiso/clnp_subr.c
--- a/sys/netiso/clnp_subr.c Tue Feb 20 15:53:23 2007 +0000
+++ b/sys/netiso/clnp_subr.c Thu Mar 29 08:57:07 2007 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: clnp_subr.c,v 1.15 2003/08/07 16:33:34 agc Exp $ */
+/* $NetBSD: clnp_subr.c,v 1.15.4.1 2007/03/29 08:57:07 ghen Exp $ */
/*-
* Copyright (c) 1991, 1993
@@ -59,7 +59,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: clnp_subr.c,v 1.15 2003/08/07 16:33:34 agc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: clnp_subr.c,v 1.15.4.1 2007/03/29 08:57:07 ghen Exp $");
#include "opt_iso.h"
@@ -157,27 +157,27 @@
struct iso_addr *destp; /* ptr to destination address
* buffer */
{
- int len; /* argument to bcopy */
+ size_t len; /* argument to memcpy */
/*
* check that we have enough data. Plus1 is for length octet
*/
- if ((u_char) * bufp + 1 > buflen) {
- return ((caddr_t) 0);
- }
- len = destp->isoa_len = (u_char) * bufp++;
- (void) bcopy(bufp, (caddr_t) destp, len);
+ len = (u_char)*bufp++;
+ if (len > buflen)
+ return NULL;
+ destp->isoa_len = len;
+ (void)memcpy(destp, bufp, len);
buflen -= len;
bufp += len;
/*
* check that we have enough data. Plus1 is for length octet
*/
- if ((u_char) * bufp + 1 > buflen) {
- return ((caddr_t) 0);
- }
- len = srcp->isoa_len = (u_char) * bufp++;
- (void) bcopy(bufp, (caddr_t) srcp, len);
+ len = (u_char)*bufp++;
+ if (len > buflen)
+ return NULL;
+ srcp->isoa_len = len;
+ (void)memcpy(srcp, bufp, len);
bufp += len;
/*
@@ -186,7 +186,7 @@
if (iso_ck_addr(srcp) && iso_ck_addr(destp))
return bufp;
else
- return (caddr_t) 0;
+ return NULL;
}
#endif /* notdef */
@@ -426,11 +426,11 @@
struct iso_addr *dstp; /* ptr to dst addr */
{
*bufp++ = dstp->isoa_len;
- (void) bcopy((caddr_t) dstp, bufp, dstp->isoa_len);
+ (void)memcpy(bufp, dstp, dstp->isoa_len);
bufp += dstp->isoa_len;
*bufp++ = srcp->isoa_len;
- (void) bcopy((caddr_t) srcp, bufp, srcp->isoa_len);
+ (void)memcpy(bufp, srcp, srcp->isoa_len);
bufp += srcp->isoa_len;
return bufp;
@@ -468,14 +468,16 @@
{
if (flags & SO_DONTROUTE) {
struct iso_ifaddr *ia;
+ size_t len = 1 + (unsigned)dst->isoa_len;
if (ro->ro_rt) {
RTFREE(ro->ro_rt);
ro->ro_rt = 0;
}
- bzero((caddr_t) & ro->ro_dst, sizeof(ro->ro_dst));
- bcopy((caddr_t) dst, (caddr_t) & ro->ro_dst.siso_addr,
- 1 + (unsigned) dst->isoa_len);
+ if (sizeof(ro->ro_dst.siso_addr) < len)
+ return EINVAL;
+ (void)memset(&ro->ro_dst, 0, sizeof(ro->ro_dst));
+ (void)memcpy(&ro->ro_dst.siso_addr, dst, len);
ro->ro_dst.siso_family = AF_ISO;
ro->ro_dst.siso_len = sizeof(ro->ro_dst);
ia = iso_localifa(&ro->ro_dst);
@@ -514,11 +516,15 @@
}
if (ro->ro_rt == 0) {
+ size_t len = 1 + (unsigned)dst->isoa_len;
+
/* set up new route structure */
- bzero((caddr_t) & ro->ro_dst, sizeof(ro->ro_dst));
+ if (sizeof(ro->ro_dst.siso_addr) < len)
+ return EINVAL;
+ (void)memset(&ro->ro_dst, 0, sizeof(ro->ro_dst));
ro->ro_dst.siso_len = sizeof(ro->ro_dst);
ro->ro_dst.siso_family = AF_ISO;
- Bcopy(dst, &ro->ro_dst.siso_addr, 1 + dst->isoa_len);
+ (void)memcpy(&ro->ro_dst.siso_addr, dst, len);
/* allocate new route */
#ifdef ARGO_DEBUG
if (argo_debug[D_ROUTE]) {
@@ -580,13 +586,19 @@
if CLNPSRCRT_TERM
(oidx, options) {
dst.isoa_len = final_dst->isoa_len;
- bcopy(final_dst->isoa_genaddr, dst.isoa_genaddr, dst.isoa_len);
+ if (sizeof(dst.isoa_genaddr) < (size_t)dst.isoa_len)
+ return EINVAL;
+ (void)memcpy(dst.isoa_genaddr, final_dst->isoa_genaddr,
+ (size_t)dst.isoa_len);
} else {
/*
* setup dst based on src rt specified
*/
dst.isoa_len = CLNPSRCRT_CLEN(oidx, options);
- bcopy(CLNPSRCRT_CADDR(oidx, options), dst.isoa_genaddr, dst.isoa_len);
+ if (sizeof(dst.isoa_genaddr) < (unsigned)dst.isoa_len)
+ return EINVAL;
+ (void)memcpy(dst.isoa_genaddr, CLNPSRCRT_CADDR(oidx, options),
+ (size_t)dst.isoa_len);
}
/*
Home |
Main Index |
Thread Index |
Old Index