Page MenuHomeFreeBSD
Differential D20948

Input validation for l_linger
ClosedPublic
Actions

Authored by tuexen on Jul 14 2019, 2:44 PM.
Tags
None
Referenced Files
F148342990: D20948.diff
Tue, Mar 17, 6:32 AM
F148337383: D20948.id59744.diff
Tue, Mar 17, 5:51 AM
Unknown Object (File)
Mon, Mar 16, 2:21 AM
Unknown Object (File)
Sun, Mar 8, 5:37 PM
Unknown Object (File)
Sun, Mar 8, 10:23 AM
Unknown Object (File)
Sun, Mar 8, 4:39 AM
Unknown Object (File)
Sat, Mar 7, 4:07 PM
Unknown Object (File)
Tue, Mar 3, 6:25 PM
View All Files
Subscribers
imp

Details

Reviewers
markj
jtl
glebius
Commits
rS360705: MFC r349989: Improve input validation for l_linger
rS351973: MFC r349989:
rS349989: Improve the input validation for l_linger.
Summary

When using the SOL_SOCKET level socket option SO_LINGER, the structure struct linger is used as the option value. The component l_linger is of type int, but internally copied to the field so_linger of the structure struct socket. The type of so_linger is short, but it is assumed to be non-negative and the value is used to compute ticks to be stored in a variable of type int.

Therefore, perform input validation on l_linger similar to the one performed by NetBSD and OpenBSD.

Thanks to syzkaller for making me aware of this issue.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

tuexen created this revision.Jul 14 2019, 2:44 PM
Herald added a subscriber: imp. · View Herald TranscriptJul 14 2019, 2:44 PM
Harbormaster completed remote builds in B25336: Diff 59736.Jul 14 2019, 2:44 PM
markj accepted this revision.Jul 14 2019, 5:07 PM

We also have the (unused) so_linger_set(), which should possibly assert that the input value is valid.

This revision is now accepted and ready to land.Jul 14 2019, 5:07 PM
tuexen updated this revision to Diff 59743.Jul 14 2019, 7:02 PM

Use KASSERT in so_linger_set() to ensure that the value is valid as suggested by markj@.

This revision now requires review to proceed.Jul 14 2019, 7:02 PM
Harbormaster completed remote builds in B25340: Diff 59743.Jul 14 2019, 7:02 PM
tuexen added a comment.Jul 14 2019, 7:03 PM
In D20948#454139, @markj wrote:

We also have the (unused) so_linger_set(), which should possibly assert that the input value is valid.

Added in updated version.

markj accepted this revision.Jul 14 2019, 7:35 PM
This revision is now accepted and ready to land.Jul 14 2019, 7:35 PM
Closed by commit rS349989: Improve the input validation for l_linger. (authored by tuexen). · Explain WhyJul 14 2019, 9:44 PM
This revision was automatically updated to reflect the committed changes.
tuexen added a commit: rS349989: Improve the input validation for l_linger..
tuexen added a commit: rS351973: MFC r349989:.Sep 7 2019, 10:49 AM
tuexen added a commit: rS360705: MFC r349989: Improve input validation for l_linger.May 6 2020, 10:00 PM

Revision Contents
Changeset List

PathSize
head/
sys/
kern/
10 lines

Diff 59744

View Options

head/sys/kern/uipc_socket.c

Loading...