diff options
author | Claudio Jeker <claudio@cvs.openbsd.org> | 2007-09-07 11:15:20 +0000 |
---|---|---|
committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2007-09-07 11:15:20 +0000 |
commit | 73578155488e25bd63efe099b35b1e2993fa2feb (patch) | |
tree | b694dacc5a2b42e743964a3230972284a150e87c | |
parent | 574ddb2ec7d2327c152bc66a7ff1d22823e3540e (diff) |
Check if rtm_hdrlen is smaller then the passed message or it would be possible
to access uninitialised memory.
Set dst to 0 on error, the error path tries to access dst but dst is inited
later down the code. This fixes a kernel panic seen by aanriot@
OK henning@
-rw-r--r-- | sys/net/rtsock.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c index 9ccb8befa4a..661192c0f9e 100644 --- a/sys/net/rtsock.c +++ b/sys/net/rtsock.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rtsock.c,v 1.64 2007/09/03 15:24:49 claudio Exp $ */ +/* $OpenBSD: rtsock.c,v 1.65 2007/09/07 11:15:19 claudio Exp $ */ /* $NetBSD: rtsock.c,v 1.18 1996/03/29 00:32:10 cgd Exp $ */ /* @@ -234,15 +234,22 @@ route_output(struct mbuf *m, ...) rtm->rtm_pid = curproc->p_pid; if (rtm->rtm_hdrlen == 0) /* old client */ rtm->rtm_hdrlen = sizeof(struct rt_msghdr); + if (len < rtm->rtm_hdrlen) { + dst = 0; + error = EINVAL; + goto flush; + } tableid = rtm->rtm_tableid; if (!rtable_exists(tableid)) { if (rtm->rtm_type == RTM_ADD) { if (rtable_add(tableid)) { + dst = 0; error = EINVAL; goto flush; } } else { + dst = 0; error = EINVAL; goto flush; } |