svn commit: r353331 - head/sys/kern
Mark Johnston
markj at FreeBSD.org
Tue Oct 8 23:34:49 UTC 2019
Author: markj
Date: Tue Oct 8 23:34:48 2019
New Revision: 353331
URL: https://svnweb.freebsd.org/changeset/base/353331
Log:
Fix handling of empty SCM_RIGHTS messages.
As unp_internalize() processes the input control messages, it builds
an output mbuf chain containing the internalized representations of
those messages. In one special case, that of an empty SCM_RIGHTS
message, the message is simply discarded. However, the loop which
appends mbufs to the output chain assumed that each iteration would
produce an mbuf, resulting in a null pointer dereference if an empty
SCM_RIGHTS message was followed by a non-empty message.
Fix this by advancing the output mbuf chain tail pointer only if an
internalized control message was produced.
Reported by: syzbot+1b5cced0f7fad26ae382 at syzkaller.appspotmail.com
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Modified:
head/sys/kern/uipc_usrreq.c
Modified: head/sys/kern/uipc_usrreq.c
==============================================================================
--- head/sys/kern/uipc_usrreq.c Tue Oct 8 21:40:42 2019 (r353330)
+++ head/sys/kern/uipc_usrreq.c Tue Oct 8 23:34:48 2019 (r353331)
@@ -2318,7 +2318,8 @@ unp_internalize(struct mbuf **controlp, struct thread
goto out;
}
- controlp = &(*controlp)->m_next;
+ if (*controlp != NULL)
+ controlp = &(*controlp)->m_next;
if (CMSG_SPACE(datalen) < clen) {
clen -= CMSG_SPACE(datalen);
cm = (struct cmsghdr *)
More information about the svn-src-head
mailing list