git: 9573cc35555e - main - rtsock: fix a stack overflow
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 13 May 2022 20:06:12 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=9573cc35555eb0da35da5712462de9f6107fb974
commit 9573cc35555eb0da35da5712462de9f6107fb974
Author: Kurosawa Takahiro <takahiro.kurosawa@gmail.com>
AuthorDate: 2022-05-13 17:58:11 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-05-13 18:05:36 +0000
rtsock: fix a stack overflow
struct sockaddr is not sufficient for buffer that can hold any
sockaddr_* structure. struct sockaddr_storage should be used.
Test:
ifconfig epair create
ifconfig epair0a inet6 add 2001:db8::1 up
ndp -s 2001:db8::2 02:86:98:2e:96:0b proxy # this triggers kernel stack overflow
Reviewed by: markj, kp
Differential Revision: https://reviews.freebsd.org/D35188
---
sys/net/rtsock.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index bc35255315b2..bbdd0279a04c 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -786,7 +786,7 @@ handle_rtm_get(struct rt_addrinfo *info, u_int fibnum,
* TODO: move this logic to userland.
*/
if (rtm->rtm_flags & RTF_ANNOUNCE) {
- struct sockaddr laddr;
+ struct sockaddr_storage laddr;
if (nh->nh_ifp != NULL &&
nh->nh_ifp->if_type == IFT_PROPVIRTUAL) {
@@ -796,17 +796,17 @@ handle_rtm_get(struct rt_addrinfo *info, u_int fibnum,
RT_ALL_FIBS);
if (ifa != NULL)
rt_maskedcopy(ifa->ifa_addr,
- &laddr,
+ (struct sockaddr *)&laddr,
ifa->ifa_netmask);
} else
rt_maskedcopy(nh->nh_ifa->ifa_addr,
- &laddr,
+ (struct sockaddr *)&laddr,
nh->nh_ifa->ifa_netmask);
/*
* refactor rt and no lock operation necessary
*/
- rc->rc_rt = (struct rtentry *)rnh->rnh_matchaddr(&laddr,
- &rnh->head);
+ rc->rc_rt = (struct rtentry *)rnh->rnh_matchaddr(
+ (struct sockaddr *)&laddr, &rnh->head);
if (rc->rc_rt == NULL) {
RIB_RUNLOCK(rnh);
return (ESRCH);