git: 7f7b4926a779 - main - ng_hci: Add sockaddr validation to sendto()
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 22 Apr 2024 15:54:29 UTC
The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=7f7b4926a779845116913c85ecbb10527daeab02 commit 7f7b4926a779845116913c85ecbb10527daeab02 Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2024-04-22 15:48:00 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2024-04-22 15:48:00 +0000 ng_hci: Add sockaddr validation to sendto() ng_btsocket_hci_raw_send() wasn't verifying that the destination address specified by sendto() is large enough to fill a struct sockaddr_hci. Thus, when copying the socket address into an mbuf, ng_btsocket_hci_raw_send() may read past the end of the input sockaddr while copying. In practice this is effectively harmless since ng_btsocket_hci_raw_output() only uses the address to identify a netgraph node. Reported by: Oliver Sieber <oliver@secfault-security.com> MFC after: 1 week Sponsored by: The FreeBSD Foundation --- sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c b/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c index 5d015b2eac6e..b8caf0c515fd 100644 --- a/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c +++ b/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c @@ -1598,6 +1598,17 @@ ng_btsocket_hci_raw_send(struct socket *so, int flags, struct mbuf *m, goto drop; } + if (sa != NULL) { + if (sa->sa_family != AF_BLUETOOTH) { + error = EAFNOSUPPORT; + goto drop; + } + if (sa->sa_len != sizeof(struct sockaddr_hci)) { + error = EINVAL; + goto drop; + } + } + mtx_lock(&pcb->pcb_mtx); error = ng_btsocket_hci_raw_filter(pcb, m, 0);