dummynet: Fix socket option length validation for IP_DUMMYNET3
ClosedPublic
Actions

Authored by markj on Nov 26 2021, 4:02 PM.

Details

Reviewers

Commits

rG1c732c85911e: dummynet: Fix socket option length validation for IP_DUMMYNET3

Summary

The socket option handler tries to ensure that the option length is no
larger than some reasonable maximum, and no smaller than sizeof(struct
dn_id). But the loaded option length is stored in an int, which is
converted to an unsigned integer for the comparison with a size_t, so
negative values are not caught and get passed to malloc().

Use a cast to enforce the intended comparison. Found by code
inspection.

MFC after: 1 week
Sponsored by: The FreeBSD Foundation

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Nov 26 2021, 4:02 PM

Herald added subscribers: glebius, donner, melifaro and 2 others. · View Herald TranscriptNov 26 2021, 4:02 PM

markj requested review of this revision.Nov 26 2021, 4:02 PM

markj added a parent revision: D33132: dummynet: Avoid an out-of-bounds read in do_config().

Harbormaster completed remote builds in B42982: Diff 99057.Nov 26 2021, 4:02 PM

Wouldn't it make more sense to change l to be a size_t? sopt->sopt_valsize is a size_t, and the arguments to sootcopyin() are also size_t.
It's only do_config() which takes an int, and that may want to be changed to take a size_t as well.

In D33133#748895, @kp wrote:

Wouldn't it make more sense to change l to be a size_t? sopt->sopt_valsize is a size_t, and the arguments to sootcopyin() are also size_t.
It's only do_config() which takes an int, and that may want to be changed to take a size_t as well.

Yeah, that's the right solution.