umb: avoid buffer overflow in umb_in_len2mask()
len comes from ipv4elem.prefixlen in a MBIM_CID_IP_CONFIGURATION message from the USB device, and should not be trusted, as it could be any uint32_t value. Without this extra check, a potential buffer overflow could subsequently occur in umb_in_len2mask(). Fix from Gerhard Roth, after coordination upstream with OpenBSD. PR: 284904 Reported by: Robert Morris <rtm@lcs.mit.edu> Approved by: philip (mentor) Sponsored by: The FreeBSD Foundation
This commit is contained in:
@@ -1753,7 +1753,8 @@ umb_add_inet_config(struct umb_softc *sc, struct in_addr ip, u_int prefixlen,
|
||||
sin = (struct sockaddr_in *)&ifra.ifra_mask;
|
||||
sin->sin_family = AF_INET;
|
||||
sin->sin_len = sizeof (*sin);
|
||||
umb_in_len2mask(&sin->sin_addr, prefixlen);
|
||||
umb_in_len2mask(&sin->sin_addr,
|
||||
MIN(prefixlen, sizeof (struct in_addr) * 8));
|
||||
|
||||
mtx_unlock(&sc->sc_mutex);
|
||||
CURVNET_SET_QUIET(if_getvnet(ifp));
|
||||
|
||||
Reference in New Issue
Block a user