mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-07 00:50:50 +00:00
netlink: fix bug with socket buffer character counter underflow
Cover case when an nb that we are now reading in full had been partially read by previous read(2) and now has positive offset. Throw couple assertions that helped to catch that earlier.
This commit is contained in:
parent
f75d7fac10
commit
d9b1f6fbf9
|
@ -744,6 +744,7 @@ nl_soreceive(struct socket *so, struct sockaddr **psa, struct uio *uio,
|
||||||
offset = nb->offset;
|
offset = nb->offset;
|
||||||
while (offset < nb->datalen) {
|
while (offset < nb->datalen) {
|
||||||
hdr = (struct nlmsghdr *)&nb->data[offset];
|
hdr = (struct nlmsghdr *)&nb->data[offset];
|
||||||
|
MPASS(nb->offset + hdr->nlmsg_len <= nb->datalen);
|
||||||
if (uio->uio_resid < len + hdr->nlmsg_len) {
|
if (uio->uio_resid < len + hdr->nlmsg_len) {
|
||||||
overflow = len + hdr->nlmsg_len -
|
overflow = len + hdr->nlmsg_len -
|
||||||
uio->uio_resid;
|
uio->uio_resid;
|
||||||
|
@ -784,7 +785,7 @@ nl_soreceive(struct socket *so, struct sockaddr **psa, struct uio *uio,
|
||||||
msgrcv++;
|
msgrcv++;
|
||||||
}
|
}
|
||||||
MPASS(offset == nb->datalen);
|
MPASS(offset == nb->datalen);
|
||||||
datalen += nb->datalen;
|
datalen += nb->datalen - nb->offset;
|
||||||
}
|
}
|
||||||
nospace:
|
nospace:
|
||||||
last = nb;
|
last = nb;
|
||||||
|
@ -796,6 +797,7 @@ nl_soreceive(struct socket *so, struct sockaddr **psa, struct uio *uio,
|
||||||
TAILQ_FIRST(&sb->nl_queue) = last;
|
TAILQ_FIRST(&sb->nl_queue) = last;
|
||||||
last->tailq.tqe_prev = &TAILQ_FIRST(&sb->nl_queue);
|
last->tailq.tqe_prev = &TAILQ_FIRST(&sb->nl_queue);
|
||||||
}
|
}
|
||||||
|
MPASS(sb->sb_acc >= datalen);
|
||||||
sb->sb_acc -= datalen;
|
sb->sb_acc -= datalen;
|
||||||
sb->sb_ccc -= datalen;
|
sb->sb_ccc -= datalen;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue