Error out if the type is beyond the storage size. No functional change,

since the shift would otherwise 'and' against zero, returning EEXIST. Reported-by: syzbot+cb68ccdc1ef3aca2d679@syzkaller.appspotmail.com
2019-10-14 16:43:04 +00:00 · 2019-10-14 16:43:04 +00:00 · a1bd50f5a7
commit a1bd50f5a7
parent 7b43da9e77
1 changed files with 4 additions and 2 deletions
--- a/sys/net/rtsock_shared.c
+++ b/sys/net/rtsock_shared.c
@ -1,4 +1,4 @@
-/*	$NetBSD: rtsock_shared.c,v 1.10 2019/08/19 03:23:30 ozaki-r Exp $	*/
+/*	$NetBSD: rtsock_shared.c,v 1.11 2019/10/14 16:43:04 maxv Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -61,7 +61,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rtsock_shared.c,v 1.10 2019/08/19 03:23:30 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rtsock_shared.c,v 1.11 2019/10/14 16:43:04 maxv Exp $");

 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@ -227,6 +227,8 @@ COMPATNAME(route_filter)(struct mbuf *m, struct sockproto *proto,
 		return EINVAL;

 	rtm = mtod(m, struct rt_xmsghdr *);
+	if (rtm->rtm_type >= sizeof(rop->rocb_msgfilter) * CHAR_BIT)
+		return EINVAL;
 	/* If the rtm type is filtered out, return a positive. */
 	if (!(rop->rocb_msgfilter & RTMSGFILTER(rtm->rtm_type)))
 		return EEXIST;