Page MenuHomeFreeBSD

dummynet: Fix socket option length validation for IP_DUMMYNET3
ClosedPublic

Authored by markj on Nov 26 2021, 4:02 PM.

Details

Summary

The socket option handler tries to ensure that the option length is no
larger than some reasonable maximum, and no smaller than sizeof(struct
dn_id). But the loaded option length is stored in an int, which is
converted to an unsigned integer for the comparison with a size_t, so
negative values are not caught and get passed to malloc().

Use a cast to enforce the intended comparison. Found by code
inspection.

MFC after: 1 week
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository
R10 FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

Wouldn't it make more sense to change l to be a size_t? sopt->sopt_valsize is a size_t, and the arguments to sootcopyin() are also size_t.
It's only do_config() which takes an int, and that may want to be changed to take a size_t as well.

In D33133#748895, @kp wrote:

Wouldn't it make more sense to change l to be a size_t? sopt->sopt_valsize is a size_t, and the arguments to sootcopyin() are also size_t.
It's only do_config() which takes an int, and that may want to be changed to take a size_t as well.

Yeah, that's the right solution.

Make do_config() take a size_t instead.

This revision is now accepted and ready to land.Nov 29 2021, 5:12 PM