diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2018-07-05 21:16:53 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2018-07-05 21:16:53 +0000 |
| commit | 96862b2d3e68ec9a9c9f5382d0436eceb66ea57c (patch) | |
| tree | 34f20cf34725e32f7222819d31ef82e68ba599bf /sys | |
| parent | 9cbbb0ee62c826513db5cdce34cc543710ef0fd4 (diff) | |
It was possible to leak the control mbuf in raw ip user request
with sendmsg(2) and MSG_OOB. Sync the code in udp, rip, and
rip6_usrreq. Add an inp NULL check in rip6_usrreq for consistency.
OK benno@ mpi@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/raw_ip.c | 6 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 3 | ||||
| -rw-r--r-- | sys/netinet6/raw_ip6.c | 13 |
3 files changed, 16 insertions, 6 deletions
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 6e9ca1e197d..35810fcd416 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ip.c,v 1.110 2018/07/04 02:08:13 anton Exp $ */ +/* $OpenBSD: raw_ip.c,v 1.111 2018/07/05 21:16:52 bluhm Exp $ */ /* $NetBSD: raw_ip.c,v 1.25 1996/02/18 18:58:33 christos Exp $ */ /* @@ -365,7 +365,7 @@ int rip_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam, struct mbuf *control, struct proc *p) { - struct inpcb *inp = sotoinpcb(so); + struct inpcb *inp; int error = 0; if (req == PRU_CONTROL) @@ -374,6 +374,7 @@ rip_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam, soassertlocked(so); + inp = sotoinpcb(so); if (inp == NULL) { error = EINVAL; goto release; @@ -504,6 +505,7 @@ rip_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam, panic("rip_usrreq"); } release: + m_freem(control); m_freem(m); return (error); } diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index dbcc4307375..c4c52f68609 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.249 2018/06/08 14:09:57 bluhm Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.250 2018/07/05 21:16:52 bluhm Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -1203,7 +1203,6 @@ udp_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *addr, default: panic("udp_usrreq"); } - release: m_freem(control); m_freem(m); diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c index e89c21e403c..80fbcc1a393 100644 --- a/sys/netinet6/raw_ip6.c +++ b/sys/netinet6/raw_ip6.c @@ -1,4 +1,4 @@ -/* $OpenBSD: raw_ip6.c,v 1.128 2018/07/04 02:08:13 anton Exp $ */ +/* $OpenBSD: raw_ip6.c,v 1.129 2018/07/05 21:16:52 bluhm Exp $ */ /* $KAME: raw_ip6.c,v 1.69 2001/03/04 15:55:44 itojun Exp $ */ /* @@ -544,7 +544,7 @@ int rip6_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam, struct mbuf *control, struct proc *p) { - struct inpcb *in6p = sotoinpcb(so); + struct inpcb *in6p; int error = 0; if (req == PRU_CONTROL) @@ -553,6 +553,12 @@ rip6_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam, soassertlocked(so); + in6p = sotoinpcb(so); + if (in6p == NULL) { + error = EINVAL; + goto release; + } + switch (req) { case PRU_DISCONNECT: if ((so->so_state & SS_ISCONNECTED) == 0) { @@ -654,6 +660,7 @@ rip6_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam, dst.sin6_scope_id = addr6->sin6_scope_id; } error = rip6_output(m, so, sin6tosa(&dst), control); + control = NULL; m = NULL; break; } @@ -687,6 +694,8 @@ rip6_usrreq(struct socket *so, int req, struct mbuf *m, struct mbuf *nam, default: panic("rip6_usrreq"); } +release: + m_freem(control); m_freem(m); return (error); } |