Tom Ivar Helbekkmo <t...@hamartun.priv.no> writes:
> Wouldn't it be better to check that sopt->sopt_size >= len, and return
> an error if not?
...in other words, something like this (the second change is for
sockopt_setmbuf() a few lines down, where I suspect the same risk is
present):
Index: sys/kern/uipc_socket.c
===================================================================
RCS file: /cvsroot/src/sys/kern/uipc_socket.c,v
retrieving revision 1.257
diff -u -u -r1.257 uipc_socket.c
--- sys/kern/uipc_socket.c 25 Oct 2017 08:12:39 -0000 1.257
+++ sys/kern/uipc_socket.c 31 Dec 2017 22:10:19 -0000
@@ -2109,7 +2109,9 @@
return error;
}
- KASSERT(sopt->sopt_size == len);
+ if (sopt->sopt_size < len)
+ return EINVAL;
+
memcpy(sopt->sopt_data, buf, len);
return 0;
}
@@ -2169,7 +2171,9 @@
return error;
}
- KASSERT(sopt->sopt_size == len);
+ if (sopt->sopt_size < len)
+ return EINVAL;
+
m_copydata(m, 0, len, sopt->sopt_data);
m_freem(m);
-tih
--
Most people who graduate with CS degrees don't understand the significance
of Lisp. Lisp is the most important idea in computer science. --Alan Kay
