diff options
| author | Kurosawa Takahiro <takahiro.kurosawa@gmail.com> | 2022-05-13 17:58:11 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2022-05-13 18:05:36 +0000 |
| commit | 9573cc35555eb0da35da5712462de9f6107fb974 (patch) | |
| tree | 4bd810a9abd344f54fa19b64def86387b57835b9 | |
| parent | d966efcc08071380cf89c46a167d5193043b6752 (diff) | |
| download | src-9573cc35555eb0da35da5712462de9f6107fb974.tar.gz src-9573cc35555eb0da35da5712462de9f6107fb974.zip | |
rtsock: fix a stack overflow
struct sockaddr is not sufficient for buffer that can hold any
sockaddr_* structure. struct sockaddr_storage should be used.
Test:
ifconfig epair create
ifconfig epair0a inet6 add 2001:db8::1 up
ndp -s 2001:db8::2 02:86:98:2e:96:0b proxy # this triggers kernel stack overflow
Reviewed by: markj, kp
Differential Revision: https://reviews.freebsd.org/D35188
| -rw-r--r-- | sys/net/rtsock.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c index bc35255315b2..bbdd0279a04c 100644 --- a/sys/net/rtsock.c +++ b/sys/net/rtsock.c @@ -786,7 +786,7 @@ handle_rtm_get(struct rt_addrinfo *info, u_int fibnum, * TODO: move this logic to userland. */ if (rtm->rtm_flags & RTF_ANNOUNCE) { - struct sockaddr laddr; + struct sockaddr_storage laddr; if (nh->nh_ifp != NULL && nh->nh_ifp->if_type == IFT_PROPVIRTUAL) { @@ -796,17 +796,17 @@ handle_rtm_get(struct rt_addrinfo *info, u_int fibnum, RT_ALL_FIBS); if (ifa != NULL) rt_maskedcopy(ifa->ifa_addr, - &laddr, + (struct sockaddr *)&laddr, ifa->ifa_netmask); } else rt_maskedcopy(nh->nh_ifa->ifa_addr, - &laddr, + (struct sockaddr *)&laddr, nh->nh_ifa->ifa_netmask); /* * refactor rt and no lock operation necessary */ - rc->rc_rt = (struct rtentry *)rnh->rnh_matchaddr(&laddr, - &rnh->head); + rc->rc_rt = (struct rtentry *)rnh->rnh_matchaddr( + (struct sockaddr *)&laddr, &rnh->head); if (rc->rc_rt == NULL) { RIB_RUNLOCK(rnh); return (ESRCH); |