Hi,
Restrict protocol numbers for raw sockets to the range from 0 to 255.
ok?
bluhm
Index: netinet/raw_ip.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/raw_ip.c,v
retrieving revision 1.62
diff -u -p -r1.62 raw_ip.c
--- netinet/raw_ip.c 21 Oct 2012 13:06:03 -0000 1.62
+++ netinet/raw_ip.c 29 Mar 2013 18:03:00 -0000
@@ -419,6 +419,10 @@ rip_usrreq(struct socket *so, int req, s
error = EACCES;
break;
}
+ if ((long)nam < 0 || (long)nam >= IPPROTO_MAX) {
+ error = EPROTONOSUPPORT;
+ break;
+ }
if ((error = soreserve(so, rip_sendspace, rip_recvspace)) ||
(error = in_pcballoc(so, &rawcbtable)))
break;
Index: netinet6/raw_ip6.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/raw_ip6.c,v
retrieving revision 1.49
diff -u -p -r1.49 raw_ip6.c
--- netinet6/raw_ip6.c 28 Mar 2013 16:45:16 -0000 1.49
+++ netinet6/raw_ip6.c 29 Mar 2013 18:03:00 -0000
@@ -613,6 +613,10 @@ rip6_usrreq(struct socket *so, int req,
error = EACCES;
break;
}
+ if ((long)nam < 0 || (long)nam >= IPPROTO_MAX) {
+ error = EPROTONOSUPPORT;
+ break;
+ }
s = splsoftnet();
if ((error = soreserve(so, rip6_sendspace, rip6_recvspace)) !=
0) {
splx(s);
