Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/net route(4): Avoid unaligned access to struct rt_msghdr...
details: https://anonhg.NetBSD.org/src/rev/bc0528913030
branches: trunk
changeset: 368227:bc0528913030
user: riastradh <riastradh%NetBSD.org@localhost>
date: Wed Jun 29 23:15:08 2022 +0000
description:
route(4): Avoid unaligned access to struct rt_msghdr, take two.
Can't even take the address of the misaligned struct member for
memcpy. Just copy the header out into a stack variable instead.
Reported-by: syzbot+083d9be5cb3c2e78ed1c%syzkaller.appspotmail.com@localhost
diffstat:
sys/net/rtsock_shared.c | 11 +++++------
1 files changed, 5 insertions(+), 6 deletions(-)
diffs (46 lines):
diff -r c9724bd01e01 -r bc0528913030 sys/net/rtsock_shared.c
--- a/sys/net/rtsock_shared.c Wed Jun 29 22:27:12 2022 +0000
+++ b/sys/net/rtsock_shared.c Wed Jun 29 23:15:08 2022 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: rtsock_shared.c,v 1.20 2022/06/26 21:42:19 riastradh Exp $ */
+/* $NetBSD: rtsock_shared.c,v 1.21 2022/06/29 23:15:08 riastradh Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -61,7 +61,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rtsock_shared.c,v 1.20 2022/06/26 21:42:19 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rtsock_shared.c,v 1.21 2022/06/29 23:15:08 riastradh Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -647,6 +647,7 @@
COMPATNAME(route_output)(struct mbuf *m, struct socket *so)
{
struct sockproto proto = { .sp_family = PF_XROUTE, };
+ struct rt_xmsghdr hdr;
struct rt_xmsghdr *rtm = NULL;
struct rt_xmsghdr *old_rtm = NULL, *new_rtm = NULL;
struct rtentry *rt = NULL;
@@ -658,7 +659,6 @@
int bound = curlwp_bind();
bool do_rt_free = false;
struct sockaddr_storage netmask;
- unsigned short msglen;
#define senderr(e) do { error = e; goto flush;} while (/*CONSTCOND*/ 0)
if (m == NULL || ((m->m_len < sizeof(int32_t)) &&
@@ -673,9 +673,8 @@
info.rti_info[RTAX_DST] = NULL;
senderr(EINVAL);
}
- memcpy(&msglen, &mtod(m, struct rt_xmsghdr *)->rtm_msglen,
- sizeof(msglen));
- if (len != msglen) {
+ m_copydata(m, 0, sizeof(hdr), &hdr);
+ if (len != hdr.rtm_msglen) {
info.rti_info[RTAX_DST] = NULL;
senderr(EINVAL);
}
Home |
Main Index |
Thread Index |
Old Index