From 73578155488e25bd63efe099b35b1e2993fa2feb Mon Sep 17 00:00:00 2001 From: Claudio Jeker Date: Fri, 7 Sep 2007 11:15:20 +0000 Subject: Check if rtm_hdrlen is smaller then the passed message or it would be possible to access uninitialised memory. Set dst to 0 on error, the error path tries to access dst but dst is inited later down the code. This fixes a kernel panic seen by aanriot@ OK henning@ --- sys/net/rtsock.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) (limited to 'sys') diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c index 9ccb8befa4a..661192c0f9e 100644 --- a/sys/net/rtsock.c +++ b/sys/net/rtsock.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rtsock.c,v 1.64 2007/09/03 15:24:49 claudio Exp $ */ +/* $OpenBSD: rtsock.c,v 1.65 2007/09/07 11:15:19 claudio Exp $ */ /* $NetBSD: rtsock.c,v 1.18 1996/03/29 00:32:10 cgd Exp $ */ /* @@ -234,15 +234,22 @@ route_output(struct mbuf *m, ...) rtm->rtm_pid = curproc->p_pid; if (rtm->rtm_hdrlen == 0) /* old client */ rtm->rtm_hdrlen = sizeof(struct rt_msghdr); + if (len < rtm->rtm_hdrlen) { + dst = 0; + error = EINVAL; + goto flush; + } tableid = rtm->rtm_tableid; if (!rtable_exists(tableid)) { if (rtm->rtm_type == RTM_ADD) { if (rtable_add(tableid)) { + dst = 0; error = EINVAL; goto flush; } } else { + dst = 0; error = EINVAL; goto flush; } -- cgit v1.2.3