diff options
| author | Moritz Buhl <mbuhl@cvs.openbsd.org> | 2022-08-29 09:50:39 +0000 |
|---|---|---|
| committer | Moritz Buhl <mbuhl@cvs.openbsd.org> | 2022-08-29 09:50:39 +0000 |
| commit | 394faa4bd28ed23917211dfb15e28230ef375254 (patch) | |
| tree | 22bb4939b08587536a7fa763fc6407eceabcf924 /sys | |
| parent | d928fb494ed5282cf254601d9bebc9fb423820b7 (diff) | |
Sendmsg could crash in tcp_output due to a missing check after the
introduction of tcp_send.
OK mvs@, bluhm@, gnezdo@
Reported-by: syzbot+e859fd353c90eeac26f8@syzkaller.appspotmail.com
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/tcp_usrreq.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c index 889acc2b12d..44722fd86c5 100644 --- a/sys/netinet/tcp_usrreq.c +++ b/sys/netinet/tcp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_usrreq.c,v 1.199 2022/08/29 08:08:17 mvs Exp $ */ +/* $OpenBSD: tcp_usrreq.c,v 1.200 2022/08/29 09:50:38 mbuhl Exp $ */ /* $NetBSD: tcp_usrreq.c,v 1.20 1996/02/13 23:44:16 christos Exp $ */ /* @@ -915,6 +915,11 @@ tcp_send(struct socket *so, struct mbuf *m, struct mbuf *nam, soassertlocked(so); + if (control && control->m_len) { + error = EINVAL; + goto out; + } + if ((error = tcp_sogetpcb(so, &inp, &tp))) goto out; |