From 7f7b4926a779845116913c85ecbb10527daeab02 Mon Sep 17 00:00:00 2001 From: Mark Johnston Date: Mon, 22 Apr 2024 11:48:00 -0400 Subject: [PATCH] ng_hci: Add sockaddr validation to sendto() ng_btsocket_hci_raw_send() wasn't verifying that the destination address specified by sendto() is large enough to fill a struct sockaddr_hci. Thus, when copying the socket address into an mbuf, ng_btsocket_hci_raw_send() may read past the end of the input sockaddr while copying. In practice this is effectively harmless since ng_btsocket_hci_raw_output() only uses the address to identify a netgraph node. Reported by: Oliver Sieber MFC after: 1 week Sponsored by: The FreeBSD Foundation --- sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c b/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c index 5d015b2eac6e..b8caf0c515fd 100644 --- a/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c +++ b/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c @@ -1598,6 +1598,17 @@ ng_btsocket_hci_raw_send(struct socket *so, int flags, struct mbuf *m, goto drop; } + if (sa != NULL) { + if (sa->sa_family != AF_BLUETOOTH) { + error = EAFNOSUPPORT; + goto drop; + } + if (sa->sa_len != sizeof(struct sockaddr_hci)) { + error = EINVAL; + goto drop; + } + } + mtx_lock(&pcb->pcb_mtx); error = ng_btsocket_hci_raw_filter(pcb, m, 0);