git: 579b45e20328 - main - unix/*: check new control size in unp_internalize()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 25 May 2022 20:30:08 UTC
The branch main has been updated by glebius:
URL: https://cgit.FreeBSD.org/src/commit/?id=579b45e203287f78cfb4a91491893b2919aa9ec4
commit 579b45e203287f78cfb4a91491893b2919aa9ec4
Author: Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2022-05-25 20:29:13 +0000
Commit: Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2022-05-25 20:29:13 +0000
unix/*: check new control size in unp_internalize()
Now that we call sbcreatecontrol() with M_WAITOK, we are expected to
pass a valid size. Return same error code, we are returning for an
oversized control from sockargs().
Reviewed by: markj
Differential revision: https://reviews.freebsd.org/D35317
---
sys/kern/uipc_usrreq.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/sys/kern/uipc_usrreq.c b/sys/kern/uipc_usrreq.c
index f08b972c6de6..cf9e04034760 100644
--- a/sys/kern/uipc_usrreq.c
+++ b/sys/kern/uipc_usrreq.c
@@ -2241,6 +2241,19 @@ unp_internalize(struct mbuf **controlp, struct thread *td)
oldfds = datalen / sizeof (int);
if (oldfds == 0)
break;
+ /* On some machines sizeof pointer is bigger than
+ * sizeof int, so we need to check if data fits into
+ * single mbuf. We could allocate several mbufs, and
+ * unp_externalize() should even properly handle that.
+ * But it is not worth to complicate the code for an
+ * insane scenario of passing over 200 file descriptors
+ * at once.
+ */
+ newlen = oldfds * sizeof(fdep[0]);
+ if (CMSG_SPACE(newlen) > MCLBYTES) {
+ error = EMSGSIZE;
+ goto out;
+ }
/*
* Check that all the FDs passed in refer to legal
* files. If not, reject the entire operation.
@@ -2265,7 +2278,6 @@ unp_internalize(struct mbuf **controlp, struct thread *td)
* Now replace the integer FDs with pointers to the
* file structure and capability rights.
*/
- newlen = oldfds * sizeof(fdep[0]);
*controlp = sbcreatecontrol(NULL, newlen,
SCM_RIGHTS, SOL_SOCKET, M_WAITOK);
fdp = data;