ok guenther@
The call in socreate() makes me think PRU_ATTACH should be moved from the
usrreq callback to a separate callback. Those casts... yuck...
On Fri, Mar 29, 2013 at 8:48 PM, Alexander Bluhm <alexander.bl...@gmx.net>wrote:
> Hi,
>
> Restrict protocol numbers for raw sockets to the range from 0 to 255.
>
> ok?
>
> bluhm
>
> Index: netinet/raw_ip.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/raw_ip.c,v
> retrieving revision 1.62
> diff -u -p -r1.62 raw_ip.c
> --- netinet/raw_ip.c 21 Oct 2012 13:06:03 -0000 1.62
> +++ netinet/raw_ip.c 29 Mar 2013 18:03:00 -0000
> @@ -419,6 +419,10 @@ rip_usrreq(struct socket *so, int req, s
> error = EACCES;
> break;
> }
> + if ((long)nam < 0 || (long)nam >= IPPROTO_MAX) {
> + error = EPROTONOSUPPORT;
> + break;
> + }
> if ((error = soreserve(so, rip_sendspace, rip_recvspace))
> ||
> (error = in_pcballoc(so, &rawcbtable)))
> break;
> Index: netinet6/raw_ip6.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/raw_ip6.c,v
> retrieving revision 1.49
> diff -u -p -r1.49 raw_ip6.c
> --- netinet6/raw_ip6.c 28 Mar 2013 16:45:16 -0000 1.49
> +++ netinet6/raw_ip6.c 29 Mar 2013 18:03:00 -0000
> @@ -613,6 +613,10 @@ rip6_usrreq(struct socket *so, int req,
> error = EACCES;
> break;
> }
> + if ((long)nam < 0 || (long)nam >= IPPROTO_MAX) {
> + error = EPROTONOSUPPORT;
> + break;
> + }
> s = splsoftnet();
> if ((error = soreserve(so, rip6_sendspace,
> rip6_recvspace)) != 0) {
> splx(s);
>
>
