CVS commit: src/sys

Sun, 24 Feb 2019 22:50:04 -0800 

Module Name:    src
Committed By:   maxv
Date:           Mon Feb 25 06:49:44 UTC 2019

Modified Files:
        src/sys/netcan: can_pcb.c
        src/sys/netinet: sctp_usrreq.c
        src/sys/netinet6: raw_ip6.c sctp6_usrreq.c

Log Message:
RIP6, CAN, SCTP and SCTP6 lack a length check in their _send() functions.
Fix RIP6 and CAN, add a big XXX in the SCTP ones.

Found by KASAN, triggered by SyzKaller.

Reported-by: syzbot+0b9692ae0f49f93b7...@syzkaller.appspotmail.com


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/sys/netcan/can_pcb.c
cvs rdiff -u -r1.17 -r1.18 src/sys/netinet/sctp_usrreq.c
cvs rdiff -u -r1.174 -r1.175 src/sys/netinet6/raw_ip6.c
cvs rdiff -u -r1.18 -r1.19 src/sys/netinet6/sctp6_usrreq.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/netcan/can_pcb.c
diff -u src/sys/netcan/can_pcb.c:1.6 src/sys/netcan/can_pcb.c:1.7
--- src/sys/netcan/can_pcb.c:1.6	Fri Jun  9 08:21:41 2017
+++ src/sys/netcan/can_pcb.c	Mon Feb 25 06:49:44 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: can_pcb.c,v 1.6 2017/06/09 08:21:41 bouyer Exp $	*/
+/*	$NetBSD: can_pcb.c,v 1.7 2019/02/25 06:49:44 maxv Exp $	*/
 
 /*-
  * Copyright (c) 2003, 2017 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: can_pcb.c,v 1.6 2017/06/09 08:21:41 bouyer Exp $");
+__KERNEL_RCSID(0, "$NetBSD: can_pcb.c,v 1.7 2019/02/25 06:49:44 maxv Exp $");
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -124,6 +124,8 @@ can_pcbbind(void *v, struct sockaddr_can
 
 	if (scan->can_family != AF_CAN)
 		return (EAFNOSUPPORT);
+	if (scan->can_len != sizeof(*scan))
+		return EINVAL;
 	mutex_enter(&canp->canp_mtx);
 	if (scan->can_ifindex != 0) {
 		canp->canp_ifp = if_byindex(scan->can_ifindex);
@@ -157,6 +159,8 @@ can_pcbconnect(void *v, struct sockaddr_
 
 	if (scan->can_family != AF_CAN)
 		return (EAFNOSUPPORT);
+	if (scan->can_len != sizeof(*scan))
+		return EINVAL;
 #if 0
 	mutex_enter(&canp->canp_mtx);
 	memcpy(&canp->canp_dst, scan, sizeof(struct sockaddr_can));

Index: src/sys/netinet/sctp_usrreq.c
diff -u src/sys/netinet/sctp_usrreq.c:1.17 src/sys/netinet/sctp_usrreq.c:1.18
--- src/sys/netinet/sctp_usrreq.c:1.17	Sun Feb 24 07:20:33 2019
+++ src/sys/netinet/sctp_usrreq.c	Mon Feb 25 06:49:44 2019
@@ -1,5 +1,5 @@
 /*	$KAME: sctp_usrreq.c,v 1.50 2005/06/16 20:45:29 jinmei Exp $	*/
-/*	$NetBSD: sctp_usrreq.c,v 1.17 2019/02/24 07:20:33 maxv Exp $	*/
+/*	$NetBSD: sctp_usrreq.c,v 1.18 2019/02/25 06:49:44 maxv Exp $	*/
 
 /*
  * Copyright (c) 2001, 2002, 2003, 2004 Cisco Systems, Inc.
@@ -33,7 +33,7 @@
  * SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sctp_usrreq.c,v 1.17 2019/02/24 07:20:33 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sctp_usrreq.c,v 1.18 2019/02/25 06:49:44 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -638,6 +638,11 @@ sctp_send(struct socket *so, struct mbuf
 		return EINVAL;
 	}
 #endif /* INET6 */
+
+	/*
+	 * XXX XXX XXX Check addr->sa_len?
+	 */
+
  connected_type:
 	/* now what about control */
 	if (control) {

Index: src/sys/netinet6/raw_ip6.c
diff -u src/sys/netinet6/raw_ip6.c:1.174 src/sys/netinet6/raw_ip6.c:1.175
--- src/sys/netinet6/raw_ip6.c:1.174	Sun Feb 24 07:20:33 2019
+++ src/sys/netinet6/raw_ip6.c	Mon Feb 25 06:49:44 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: raw_ip6.c,v 1.174 2019/02/24 07:20:33 maxv Exp $	*/
+/*	$NetBSD: raw_ip6.c,v 1.175 2019/02/25 06:49:44 maxv Exp $	*/
 /*	$KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.174 2019/02/24 07:20:33 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.175 2019/02/25 06:49:44 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ipsec.h"
@@ -891,6 +891,10 @@ rip6_send(struct socket *so, struct mbuf
 			error = EAFNOSUPPORT;
 			goto release;
 		}
+		if (dst->sin6_len != sizeof(*dst)) {
+			error = EINVAL;
+			goto release;
+		}
 	}
 	error = rip6_output(m, so, dst, control);
 	m = NULL;

Index: src/sys/netinet6/sctp6_usrreq.c
diff -u src/sys/netinet6/sctp6_usrreq.c:1.18 src/sys/netinet6/sctp6_usrreq.c:1.19
--- src/sys/netinet6/sctp6_usrreq.c:1.18	Sun Feb 24 07:20:33 2019
+++ src/sys/netinet6/sctp6_usrreq.c	Mon Feb 25 06:49:44 2019
@@ -1,5 +1,5 @@
 /* $KAME: sctp6_usrreq.c,v 1.38 2005/08/24 08:08:56 suz Exp $ */
-/* $NetBSD: sctp6_usrreq.c,v 1.18 2019/02/24 07:20:33 maxv Exp $ */
+/* $NetBSD: sctp6_usrreq.c,v 1.19 2019/02/25 06:49:44 maxv Exp $ */
 
 /*
  * Copyright (c) 2001, 2002, 2003, 2004 Cisco Systems, Inc.
@@ -33,7 +33,7 @@
  * SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sctp6_usrreq.c,v 1.18 2019/02/24 07:20:33 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sctp6_usrreq.c,v 1.19 2019/02/25 06:49:44 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -833,6 +833,9 @@ sctp6_send(struct socket *so, struct mbu
 
 #ifdef INET
 	sin6 = (struct sockaddr_in6 *)nam;
+	/*
+	 * XXX XXX XXX Check sin6->sin6_len?
+	 */
 	if (inp6->in6p_flags & IN6P_IPV6_V6ONLY) {
 		/*
 		 * if IPV6_V6ONLY flag, we discard datagrams

Reply via email to