ng_hci: Add sockaddr validation to sendto()
ng_btsocket_hci_raw_send() wasn't verifying that the destination address specified by sendto() is large enough to fill a struct sockaddr_hci. Thus, when copying the socket address into an mbuf, ng_btsocket_hci_raw_send() may read past the end of the input sockaddr while copying. In practice this is effectively harmless since ng_btsocket_hci_raw_output() only uses the address to identify a netgraph node. Reported by: Oliver Sieber <oliver@secfault-security.com> MFC after: 1 week Sponsored by: The FreeBSD Foundation
This commit is contained in:
@@ -1598,6 +1598,17 @@ ng_btsocket_hci_raw_send(struct socket *so, int flags, struct mbuf *m,
|
|||||||
goto drop;
|
goto drop;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (sa != NULL) {
|
||||||
|
if (sa->sa_family != AF_BLUETOOTH) {
|
||||||
|
error = EAFNOSUPPORT;
|
||||||
|
goto drop;
|
||||||
|
}
|
||||||
|
if (sa->sa_len != sizeof(struct sockaddr_hci)) {
|
||||||
|
error = EINVAL;
|
||||||
|
goto drop;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
mtx_lock(&pcb->pcb_mtx);
|
mtx_lock(&pcb->pcb_mtx);
|
||||||
|
|
||||||
error = ng_btsocket_hci_raw_filter(pcb, m, 0);
|
error = ng_btsocket_hci_raw_filter(pcb, m, 0);
|
||||||
|
|||||||
Reference in New Issue
Block a user