git: 7f7b4926a779 - main - ng_hci: Add sockaddr validation to sendto()

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Mon, 22 Apr 2024 15:54:29 UTC
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=7f7b4926a779845116913c85ecbb10527daeab02

commit 7f7b4926a779845116913c85ecbb10527daeab02
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-04-22 15:48:00 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-04-22 15:48:00 +0000

    ng_hci: Add sockaddr validation to sendto()
    
    ng_btsocket_hci_raw_send() wasn't verifying that the destination address
    specified by sendto() is large enough to fill a struct sockaddr_hci.
    Thus, when copying the socket address into an mbuf,
    ng_btsocket_hci_raw_send() may read past the end of the input sockaddr
    while copying.
    
    In practice this is effectively harmless since
    ng_btsocket_hci_raw_output() only uses the address to identify a
    netgraph node.
    
    Reported by:    Oliver Sieber <oliver@secfault-security.com>
    MFC after:      1 week
    Sponsored by:   The FreeBSD Foundation
---
 sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c b/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c
index 5d015b2eac6e..b8caf0c515fd 100644
--- a/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c
+++ b/sys/netgraph/bluetooth/socket/ng_btsocket_hci_raw.c
@@ -1598,6 +1598,17 @@ ng_btsocket_hci_raw_send(struct socket *so, int flags, struct mbuf *m,
 		goto drop;
 	}
 
+	if (sa != NULL) {
+		if (sa->sa_family != AF_BLUETOOTH) {
+			error = EAFNOSUPPORT;
+			goto drop;
+		}
+		if (sa->sa_len != sizeof(struct sockaddr_hci)) {
+			error = EINVAL;
+			goto drop;
+		}
+	}
+
 	mtx_lock(&pcb->pcb_mtx);
 
 	error = ng_btsocket_hci_raw_filter(pcb, m, 0);