Module Name: src
Committed By: riastradh
Date: Sun Jun 26 21:42:20 UTC 2022
Modified Files:
src/sys/net: rtsock_shared.c
Log Message:
route(4): Avoid unaligned access to struct rt_msghdr.
Reported-by: syzbot+e0048186a5cc97b1c...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 src/sys/net/rtsock_shared.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/rtsock_shared.c
diff -u src/sys/net/rtsock_shared.c:1.19 src/sys/net/rtsock_shared.c:1.20
--- src/sys/net/rtsock_shared.c:1.19 Fri Jun 26 15:53:59 2020
+++ src/sys/net/rtsock_shared.c Sun Jun 26 21:42:19 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: rtsock_shared.c,v 1.19 2020/06/26 15:53:59 roy Exp $ */
+/* $NetBSD: rtsock_shared.c,v 1.20 2022/06/26 21:42:19 riastradh Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -61,7 +61,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rtsock_shared.c,v 1.19 2020/06/26 15:53:59 roy Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rtsock_shared.c,v 1.20 2022/06/26 21:42:19 riastradh Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -658,6 +658,7 @@ COMPATNAME(route_output)(struct mbuf *m,
int bound = curlwp_bind();
bool do_rt_free = false;
struct sockaddr_storage netmask;
+ unsigned short msglen;
#define senderr(e) do { error = e; goto flush;} while (/*CONSTCOND*/ 0)
if (m == NULL || ((m->m_len < sizeof(int32_t)) &&
@@ -668,8 +669,13 @@ COMPATNAME(route_output)(struct mbuf *m,
if ((m->m_flags & M_PKTHDR) == 0)
panic("%s", __func__);
len = m->m_pkthdr.len;
- if (len < sizeof(*rtm) ||
- len != mtod(m, struct rt_xmsghdr *)->rtm_msglen) {
+ if (len < sizeof(*rtm)) {
+ info.rti_info[RTAX_DST] = NULL;
+ senderr(EINVAL);
+ }
+ memcpy(&msglen, &mtod(m, struct rt_xmsghdr *)->rtm_msglen,
+ sizeof(msglen));
+ if (len != msglen) {
info.rti_info[RTAX_DST] = NULL;
senderr(EINVAL);
}
