mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-02 22:54:52 +00:00
ng_hci: Add sockaddr validation to sendto()
ng_btsocket_hci_raw_send() wasn't verifying that the destination address
specified by sendto() is large enough to fill a struct sockaddr_hci.
Thus, when copying the socket address into an mbuf,
ng_btsocket_hci_raw_send() may read past the end of the input sockaddr
while copying.
In practice this is effectively harmless since
ng_btsocket_hci_raw_output() only uses the address to identify a
netgraph node.
Reported by: Oliver Sieber <oliver@secfault-security.com>
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 7f7b4926a7
)
This commit is contained in:
parent
e750111ced
commit
6f028e9108
|
@ -1610,6 +1610,17 @@ ng_btsocket_hci_raw_send(struct socket *so, int flags, struct mbuf *m,
|
|||
goto drop;
|
||||
}
|
||||
|
||||
if (sa != NULL) {
|
||||
if (sa->sa_family != AF_BLUETOOTH) {
|
||||
error = EAFNOSUPPORT;
|
||||
goto drop;
|
||||
}
|
||||
if (sa->sa_len != sizeof(struct sockaddr_hci)) {
|
||||
error = EINVAL;
|
||||
goto drop;
|
||||
}
|
||||
}
|
||||
|
||||
mtx_lock(&pcb->pcb_mtx);
|
||||
|
||||
error = ng_btsocket_hci_raw_filter(pcb, m, 0);
|
||||
|
|
Loading…
Reference in a new issue