summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorClaudio Jeker <claudio@cvs.openbsd.org>2007-09-07 11:15:20 +0000
committerClaudio Jeker <claudio@cvs.openbsd.org>2007-09-07 11:15:20 +0000
commit73578155488e25bd63efe099b35b1e2993fa2feb (patch)
treeb694dacc5a2b42e743964a3230972284a150e87c
parent574ddb2ec7d2327c152bc66a7ff1d22823e3540e (diff)
Check if rtm_hdrlen is smaller then the passed message or it would be possible
to access uninitialised memory. Set dst to 0 on error, the error path tries to access dst but dst is inited later down the code. This fixes a kernel panic seen by aanriot@ OK henning@
-rw-r--r--sys/net/rtsock.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index 9ccb8befa4a..661192c0f9e 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rtsock.c,v 1.64 2007/09/03 15:24:49 claudio Exp $ */
+/* $OpenBSD: rtsock.c,v 1.65 2007/09/07 11:15:19 claudio Exp $ */
/* $NetBSD: rtsock.c,v 1.18 1996/03/29 00:32:10 cgd Exp $ */
/*
@@ -234,15 +234,22 @@ route_output(struct mbuf *m, ...)
rtm->rtm_pid = curproc->p_pid;
if (rtm->rtm_hdrlen == 0) /* old client */
rtm->rtm_hdrlen = sizeof(struct rt_msghdr);
+ if (len < rtm->rtm_hdrlen) {
+ dst = 0;
+ error = EINVAL;
+ goto flush;
+ }
tableid = rtm->rtm_tableid;
if (!rtable_exists(tableid)) {
if (rtm->rtm_type == RTM_ADD) {
if (rtable_add(tableid)) {
+ dst = 0;
error = EINVAL;
goto flush;
}
} else {
+ dst = 0;
error = EINVAL;
goto flush;
}