svn commit: r300088 - in releng/9.3: . sys/conf sys/dev/kbd

[Gleb Smirnoff]

On Tue, May 17, 2016 at 03:59:26PM -0700, Bryan Drewery wrote:
B> > Author: glebius
B> > Date: Tue May 17 22:28:36 2016
B> > New Revision: 300088
B> > URL: https://svnweb.freebsd.org/changeset/base/300088
B> > 
B> > Log:
B> >   - Use unsigned version of min() when handling arguments of SETFKEY ioctl.
B> >   - Validate that user supplied control message length in sendmsg(2)
B> >     is not negative.
B> 
B> The sendmsg(2) change is not included here (9.3) nor in the advisory but
B> is in the commit log.  Was it intended to be changed in 9.3?

That was my failure to mention SA-16:19 in commit message for 9.3. It doesn't
apply to 9.x.

B> Plus the only consumer I see is sendit() which seems to be protected
B> already from negative values when not using COMPAT_43:
B> 
B> >                  if (mp->msg_controllen < sizeof(struct cmsghdr)
B> >  #ifdef COMPAT_OLDSOCK
B> >                      && mp->msg_flags != MSG_COMPAT
B> >  #endif
B> >                  ) {
B> >                          error = EINVAL;
B> >                          goto bad;
B> >                  }
B> >                  error = sockargs(&control, mp->msg_control,
B> >                      mp->msg_controllen, MT_CONTROL);

No, it isn't protected. In the comparison (mp->msg_controllen < sizeof(struct cmsghdr))
both values are unsigned. Later in sockargs() it is treated as signed.

-- 
Totus tuus, Glebius.