When receiving a struct sockaddr from userland, enforce that memory

for sa_len and sa_family is provided.  This will make handling of
socket name mbufs within the kernel safer.
issue reported by Ilja Van Sprundel; OK claudio@

1 files changed, 4 insertions, 2 deletions

diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 75953e74395..2b9676e32cf 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: uipc_syscalls.c,v 1.154 2017/07/19 06:52:41 claudio Exp $	*/
+/*	$OpenBSD: uipc_syscalls.c,v 1.155 2017/07/20 18:40:16 bluhm Exp $	*/
 /*	$NetBSD: uipc_syscalls.c,v 1.19 1996/02/09 19:00:48 christos Exp $	*/
 
 /*
@@ -1113,8 +1113,10 @@ sockargs(struct mbuf **mp, const void *buf, size_t buflen, int type)
 	 * We can't allow socket names > UCHAR_MAX in length, since that
 	 * will overflow sa_len. Also, control data more than MCLBYTES in
 	 * length is just too much.
+	 * Memory for sa_len and sa_family must exist.
 	 */
-	if (buflen > (type == MT_SONAME ? UCHAR_MAX : MCLBYTES))
+	if ((buflen > (type == MT_SONAME ? UCHAR_MAX : MCLBYTES)) ||
+	    (type == MT_SONAME && buflen < offsetof(struct sockaddr, sa_data)))
 		return (EINVAL);
 
 	/* Allocate an mbuf to hold the arguments. */