diff options
author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2013-03-30 12:15:30 +0000 |
---|---|---|
committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2013-03-30 12:15:30 +0000 |
commit | 3fb68333ec31e4c9a3365038375b6c3fd2256c0a (patch) | |
tree | 09e593c457d42773e3bd3bf85f687643b8f140e4 | |
parent | fd5f8597ee4c64a203798daa36ba4e9be32a4a1f (diff) |
Restrict protocol numbers for raw sockets to the range from 0 to 255.
OK deraadt@ guenther@
-rw-r--r-- | sys/netinet/raw_ip.c | 6 | ||||
-rw-r--r-- | sys/netinet6/raw_ip6.c | 6 |
2 files changed, 10 insertions, 2 deletions
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 61285a8a4a6..502eecd7ad8 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ip.c,v 1.62 2012/10/21 13:06:03 benno Exp $ */ +/* $OpenBSD: raw_ip.c,v 1.63 2013/03/30 12:15:29 bluhm Exp $ */ /* $NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $ */ /* @@ -419,6 +419,10 @@ rip_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam, error = EACCES; break; } + if ((long)nam < 0 || (long)nam >= IPPROTO_MAX) { + error = EPROTONOSUPPORT; + break; + } if ((error = soreserve(so, rip_sendspace, rip_recvspace)) || (error = in_pcballoc(so, &rawcbtable))) break; diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c index 0a2559a6d69..531efd0cece 100644 --- a/sys/netinet6/raw_ip6.c +++ b/sys/netinet6/raw_ip6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ip6.c,v 1.49 2013/03/28 16:45:16 tedu Exp $ */ +/* $OpenBSD: raw_ip6.c,v 1.50 2013/03/30 12:15:29 bluhm Exp $ */ /* $KAME: raw_ip6.c,v 1.69 2001/03/04 15:55:44 itojun Exp $ */ /* @@ -613,6 +613,10 @@ rip6_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam, error = EACCES; break; } + if ((long)nam < 0 || (long)nam >= IPPROTO_MAX) { + error = EPROTONOSUPPORT; + break; + } s = splsoftnet(); if ((error = soreserve(so, rip6_sendspace, rip6_recvspace)) != 0) { splx(s); |