CVS commit: src/sys/net

Wed, 29 Jun 2022 16:13:00 -0700 

Module Name:    src
Committed By:   riastradh
Date:           Wed Jun 29 23:15:08 UTC 2022

Modified Files:
        src/sys/net: rtsock_shared.c

Log Message:
route(4): Avoid unaligned access to struct rt_msghdr, take two.

Can't even take the address of the misaligned struct member for
memcpy.  Just copy the header out into a stack variable instead.

Reported-by: syzbot+083d9be5cb3c2e78e...@syzkaller.appspotmail.com


To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/sys/net/rtsock_shared.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/net/rtsock_shared.c
diff -u src/sys/net/rtsock_shared.c:1.20 src/sys/net/rtsock_shared.c:1.21
--- src/sys/net/rtsock_shared.c:1.20	Sun Jun 26 21:42:19 2022
+++ src/sys/net/rtsock_shared.c	Wed Jun 29 23:15:08 2022
@@ -1,4 +1,4 @@
-/*	$NetBSD: rtsock_shared.c,v 1.20 2022/06/26 21:42:19 riastradh Exp $	*/
+/*	$NetBSD: rtsock_shared.c,v 1.21 2022/06/29 23:15:08 riastradh Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -61,7 +61,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rtsock_shared.c,v 1.20 2022/06/26 21:42:19 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rtsock_shared.c,v 1.21 2022/06/29 23:15:08 riastradh Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -647,6 +647,7 @@ int
 COMPATNAME(route_output)(struct mbuf *m, struct socket *so)
 {
 	struct sockproto proto = { .sp_family = PF_XROUTE, };
+	struct rt_xmsghdr hdr;
 	struct rt_xmsghdr *rtm = NULL;
 	struct rt_xmsghdr *old_rtm = NULL, *new_rtm = NULL;
 	struct rtentry *rt = NULL;
@@ -658,7 +659,6 @@ COMPATNAME(route_output)(struct mbuf *m,
 	int bound = curlwp_bind();
 	bool do_rt_free = false;
 	struct sockaddr_storage netmask;
-	unsigned short msglen;
 
 #define senderr(e) do { error = e; goto flush;} while (/*CONSTCOND*/ 0)
 	if (m == NULL || ((m->m_len < sizeof(int32_t)) &&
@@ -673,9 +673,8 @@ COMPATNAME(route_output)(struct mbuf *m,
 		info.rti_info[RTAX_DST] = NULL;
 		senderr(EINVAL);
 	}
-	memcpy(&msglen, &mtod(m, struct rt_xmsghdr *)->rtm_msglen,
-	    sizeof(msglen));
-	if (len != msglen) {
+	m_copydata(m, 0, sizeof(hdr), &hdr);
+	if (len != hdr.rtm_msglen) {
 		info.rti_info[RTAX_DST] = NULL;
 		senderr(EINVAL);
 	}

Reply via email to