From 0b97e97cd2004ae805fa81b0c8033250da8dc2e1 Mon Sep 17 00:00:00 2001 From: Yoshinobu Inoue Date: Thu, 24 Feb 2000 19:21:26 +0000 Subject: [PATCH] Add length check to sbcreatecontrol(). Now this check is necessary because IPv6 source routing might use control data bigger than MLEN. (e.g. 16bytes IPv6 addr x 23 hops) Actually mbuf cluster should be used in uipc_socket.c:sbcreatecontrol() and uipc_syscalls.c:sockargs() when data size is bigger then MLEN, and such patches were already in KAME environment and have been confirmed to work well. I just forgot to merge them into 4.0, sorry. For safety, I'll postpone such patches until after 4.0 release. The effect of postponement is followings. -Ping6 source routing hops are limitted to around 6 or so. -If some apps do setsockopt IPV6_RTHDR and try to receive incoming IPv6 source routing info, it can't receive more than 6 hops source routing info. (But currently, no apps seems to be doing it.) Approved by: jkh --- sys/kern/uipc_sockbuf.c | 2 ++ sys/kern/uipc_socket2.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/sys/kern/uipc_sockbuf.c b/sys/kern/uipc_sockbuf.c index d71806b4d15..c1072b7eeaa 100644 --- a/sys/kern/uipc_sockbuf.c +++ b/sys/kern/uipc_sockbuf.c @@ -839,6 +839,8 @@ sbcreatecontrol(p, size, type, level) register struct cmsghdr *cp; struct mbuf *m; + if ((u_int)size > MLEN) + return ((struct mbuf *) NULL); if ((m = m_get(M_DONTWAIT, MT_CONTROL)) == NULL) return ((struct mbuf *) NULL); cp = mtod(m, struct cmsghdr *); diff --git a/sys/kern/uipc_socket2.c b/sys/kern/uipc_socket2.c index d71806b4d15..c1072b7eeaa 100644 --- a/sys/kern/uipc_socket2.c +++ b/sys/kern/uipc_socket2.c @@ -839,6 +839,8 @@ sbcreatecontrol(p, size, type, level) register struct cmsghdr *cp; struct mbuf *m; + if ((u_int)size > MLEN) + return ((struct mbuf *) NULL); if ((m = m_get(M_DONTWAIT, MT_CONTROL)) == NULL) return ((struct mbuf *) NULL); cp = mtod(m, struct cmsghdr *);