ok guenther@ The call in socreate() makes me think PRU_ATTACH should be moved from the usrreq callback to a separate callback. Those casts... yuck...
On Fri, Mar 29, 2013 at 8:48 PM, Alexander Bluhm <alexander.bl...@gmx.net>wrote: > Hi, > > Restrict protocol numbers for raw sockets to the range from 0 to 255. > > ok? > > bluhm > > Index: netinet/raw_ip.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/raw_ip.c,v > retrieving revision 1.62 > diff -u -p -r1.62 raw_ip.c > --- netinet/raw_ip.c 21 Oct 2012 13:06:03 -0000 1.62 > +++ netinet/raw_ip.c 29 Mar 2013 18:03:00 -0000 > @@ -419,6 +419,10 @@ rip_usrreq(struct socket *so, int req, s > error = EACCES; > break; > } > + if ((long)nam < 0 || (long)nam >= IPPROTO_MAX) { > + error = EPROTONOSUPPORT; > + break; > + } > if ((error = soreserve(so, rip_sendspace, rip_recvspace)) > || > (error = in_pcballoc(so, &rawcbtable))) > break; > Index: netinet6/raw_ip6.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/raw_ip6.c,v > retrieving revision 1.49 > diff -u -p -r1.49 raw_ip6.c > --- netinet6/raw_ip6.c 28 Mar 2013 16:45:16 -0000 1.49 > +++ netinet6/raw_ip6.c 29 Mar 2013 18:03:00 -0000 > @@ -613,6 +613,10 @@ rip6_usrreq(struct socket *so, int req, > error = EACCES; > break; > } > + if ((long)nam < 0 || (long)nam >= IPPROTO_MAX) { > + error = EPROTONOSUPPORT; > + break; > + } > s = splsoftnet(); > if ((error = soreserve(so, rip6_sendspace, > rip6_recvspace)) != 0) { > splx(s); > >