system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-07-09 12:46:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

ng_hci: Add sockaddr validation to sendto()

Browse Source 
ng_btsocket_hci_raw_send() wasn't verifying that the destination address
specified by sendto() is large enough to fill a struct sockaddr_hci.
Thus, when copying the socket address into an mbuf,
ng_btsocket_hci_raw_send() may read past the end of the input sockaddr
while copying.

In practice this is effectively harmless since
ng_btsocket_hci_raw_output() only uses the address to identify a
netgraph node.

Reported by:	Oliver Sieber <oliver@secfault-security.com>
MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
This commit is contained in:
Mark Johnston 2024-04-22 11:48:00 -04:00
parent 800da341bc
commit 7f7b4926a7
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c
View File

@ -1598,6 +1598,17 @@ ng_btsocket_hci_raw_send(struct socket *so, int flags, struct mbuf *m,
goto drop;
}
if (sa != NULL) {
if (sa->sa_family != AF_BLUETOOTH) {
error = EAFNOSUPPORT;
goto drop;
}
if (sa->sa_len != sizeof(struct sockaddr_hci)) {
error = EINVAL;
goto drop;
}
}
mtx_lock(&pcb->pcb_mtx);
error = ng_btsocket_hci_raw_filter(pcb, m, 0);