umb: avoid buffer overflow in umb_in_len2mask()

len comes from ipv4elem.prefixlen in a MBIM_CID_IP_CONFIGURATION message
from the USB device, and should not be trusted, as it could be any
uint32_t value. Without this extra check, a potential buffer overflow
could subsequently occur in umb_in_len2mask().

Fix from Gerhard Roth, after coordination upstream with OpenBSD.

PR:		284904
Reported by:	Robert Morris <rtm@lcs.mit.edu>
Approved by:	philip (mentor)
Sponsored by:	The FreeBSD Foundation
This commit is contained in:
Pierre Pronchery
2025-05-27 01:18:53 +02:00
parent 7f81f87a74
commit 5ed36e2e17
+2 -1
View File
@@ -1753,7 +1753,8 @@ umb_add_inet_config(struct umb_softc *sc, struct in_addr ip, u_int prefixlen,
sin = (struct sockaddr_in *)&ifra.ifra_mask;
sin->sin_family = AF_INET;
sin->sin_len = sizeof (*sin);
umb_in_len2mask(&sin->sin_addr, prefixlen);
umb_in_len2mask(&sin->sin_addr,
MIN(prefixlen, sizeof (struct in_addr) * 8));
mtx_unlock(&sc->sc_mutex);
CURVNET_SET_QUIET(if_getvnet(ifp));