https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=218919
Bug ID: 218919
Summary: setsockopt() accepts too long arguments allowing
programmer errors
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: kern
Assignee: [email protected]
Reporter: [email protected]
When a programmer mistakenly passes a size_t to a setsockopt() command that
takes an int, the sooptcopyin() function ignores the extra size. On
little-endian systems, the result works anyway. On big-endian systems the
wrong bits of the size get copied resulting in failure. An example of this can
be seen in https://reviews.freebsd.org/D10518.
Due to the use of unions as arguments to some setsockopt() commands, it is
somewhat clear why sooptcopyin() takes a length and minlength. It's less clear
to me that over-length parameters should be allowed and in the case of
int/size_t confusion the current behavior is just wrong.
https://reviews.freebsd.org/D10519 contains one possible partial fix, but I
think a larger sweep is required and something more like a sooptcopyin_exact()
might be a better approach.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[email protected]"
