Skip to content

Commit

Permalink
route(4): Avoid unaligned access to struct rt_msghdr.
Browse files Browse the repository at this point in the history 
Reported-by: syzbot+e0048186a5cc97b1c5a6@syzkaller.appspotmail.com
  • Loading branch information
riastradh authored and riastradh committed Jun 26, 2022
1 parent 2b1f9e5 commit 8ebaf25
Showing 1 changed file with 10 additions and 4 deletions.
14 changes: 10 additions & 4 deletions sys/net/rtsock_shared.c
View file
@@ -1,4 +1,4 @@
/* $NetBSD: rtsock_shared.c,v 1.19 2020/06/26 15:53:59 roy Exp $ */
/* $NetBSD: rtsock_shared.c,v 1.20 2022/06/26 21:42:19 riastradh Exp $ */

/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
Expand Down Expand Up @@ -61,7 +61,7 @@
*/

#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: rtsock_shared.c,v 1.19 2020/06/26 15:53:59 roy Exp $");
__KERNEL_RCSID(0, "$NetBSD: rtsock_shared.c,v 1.20 2022/06/26 21:42:19 riastradh Exp $");

#ifdef _KERNEL_OPT
#include "opt_inet.h"
Expand Down Expand Up @@ -658,6 +658,7 @@ COMPATNAME(route_output)(struct mbuf *m, struct socket *so)
int bound = curlwp_bind();
bool do_rt_free = false;
struct sockaddr_storage netmask;
unsigned short msglen;

#define senderr(e) do { error = e; goto flush;} while (/*CONSTCOND*/ 0)
if (m == NULL || ((m->m_len < sizeof(int32_t)) &&
Expand All @@ -668,8 +669,13 @@ COMPATNAME(route_output)(struct mbuf *m, struct socket *so)
if ((m->m_flags & M_PKTHDR) == 0)
panic("%s", __func__);
len = m->m_pkthdr.len;
if (len < sizeof(*rtm) ||
len != mtod(m, struct rt_xmsghdr *)->rtm_msglen) {
if (len < sizeof(*rtm)) {
info.rti_info[RTAX_DST] = NULL;
senderr(EINVAL);
}
memcpy(&msglen, &mtod(m, struct rt_xmsghdr *)->rtm_msglen,
sizeof(msglen));
if (len != msglen) {
info.rti_info[RTAX_DST] = NULL;
senderr(EINVAL);
}
Expand Down

0 comments on commit 8ebaf25

Please sign in to comment.