Tom Ivar Helbekkmo <t...@hamartun.priv.no> writes: > Wouldn't it be better to check that sopt->sopt_size >= len, and return > an error if not?
...in other words, something like this (the second change is for sockopt_setmbuf() a few lines down, where I suspect the same risk is present): Index: sys/kern/uipc_socket.c =================================================================== RCS file: /cvsroot/src/sys/kern/uipc_socket.c,v retrieving revision 1.257 diff -u -u -r1.257 uipc_socket.c --- sys/kern/uipc_socket.c 25 Oct 2017 08:12:39 -0000 1.257 +++ sys/kern/uipc_socket.c 31 Dec 2017 22:10:19 -0000 @@ -2109,7 +2109,9 @@ return error; } - KASSERT(sopt->sopt_size == len); + if (sopt->sopt_size < len) + return EINVAL; + memcpy(sopt->sopt_data, buf, len); return 0; } @@ -2169,7 +2171,9 @@ return error; } - KASSERT(sopt->sopt_size == len); + if (sopt->sopt_size < len) + return EINVAL; + m_copydata(m, 0, len, sopt->sopt_data); m_freem(m); -tih -- Most people who graduate with CS degrees don't understand the significance of Lisp. Lisp is the most important idea in computer science. --Alan Kay