mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-09 12:46:43 +00:00
ng_hci: Add sockaddr validation to sendto()
ng_btsocket_hci_raw_send() wasn't verifying that the destination address specified by sendto() is large enough to fill a struct sockaddr_hci. Thus, when copying the socket address into an mbuf, ng_btsocket_hci_raw_send() may read past the end of the input sockaddr while copying. In practice this is effectively harmless since ng_btsocket_hci_raw_output() only uses the address to identify a netgraph node. Reported by: Oliver Sieber <oliver@secfault-security.com> MFC after: 1 week Sponsored by: The FreeBSD Foundation
This commit is contained in:
parent
800da341bc
commit
7f7b4926a7
|
@ -1598,6 +1598,17 @@ ng_btsocket_hci_raw_send(struct socket *so, int flags, struct mbuf *m,
|
|||
goto drop;
|
||||
}
|
||||
|
||||
if (sa != NULL) {
|
||||
if (sa->sa_family != AF_BLUETOOTH) {
|
||||
error = EAFNOSUPPORT;
|
||||
goto drop;
|
||||
}
|
||||
if (sa->sa_len != sizeof(struct sockaddr_hci)) {
|
||||
error = EINVAL;
|
||||
goto drop;
|
||||
}
|
||||
}
|
||||
|
||||
mtx_lock(&pcb->pcb_mtx);
|
||||
|
||||
error = ng_btsocket_hci_raw_filter(pcb, m, 0);
|
||||
|
|
Loading…
Reference in New Issue
Block a user