Fix buffer overflow, detected by kASan.

ifconfig gif0 create ifconfig gif0 up [ 50.682919] kASan: Unauthorized Access In 0xffffffff80f22655: Addr 0xffffffff81b997a0 [8 bytes, read] [ 50.682919] #0 0xffffffff8021ce6a in kasan_memcpy <netbsd> [ 50.692999] #1 0xffffffff80f22655 in m_copyback_internal <netbsd> [ 50.692999] #2 0xffffffff80f22e81 in m_copyback <netbsd> [ 50.692999] #3 0xffffffff8103109a in rt_msg1 <netbsd> [ 50.692999] #4 0xffffffff8159109a in compat_70_rt_newaddrmsg1 <netbsd> [ 50.692999] #5 0xffffffff81031b0f in rt_newaddrmsg <netbsd> [ 50.692999] #6 0xffffffff8102c35e in rt_ifa_addlocal <netbsd> [ 50.692999] #7 0xffffffff80a5287c in in6_update_ifa1 <netbsd> [ 50.692999] #8 0xffffffff80a54149 in in6_update_ifa <netbsd> [ 50.692999] #9 0xffffffff80a59176 in in6_ifattach <netbsd> [ 50.692999] #10 0xffffffff80a56dd4 in in6_if_up <netbsd> [ 50.692999] #11 0xffffffff80fc5cb8 in if_up_locked <netbsd> [ 50.703622] #12 0xffffffff80fcc4c1 in ifioctl_common <netbsd> [ 50.703622] #13 0xffffffff80fde694 in gif_ioctl <netbsd> [ 50.703622] #14 0xffffffff80fcdb1f in doifioctl <netbsd>
2018-08-31 15:15:23 +00:00 · 2018-08-31 15:15:23 +00:00 · e8e58773e9
commit e8e58773e9
parent 10d6722b09
1 changed files with 4 additions and 4 deletions
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@ -1,4 +1,4 @@
-/*	$NetBSD: rtsock.c,v 1.241 2018/04/25 03:49:57 ozaki-r Exp $	*/
+/*	$NetBSD: rtsock.c,v 1.242 2018/08/31 15:15:23 maxv Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -61,7 +61,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: rtsock.c,v 1.241 2018/04/25 03:49:57 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: rtsock.c,v 1.242 2018/08/31 15:15:23 maxv Exp $");

 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@ -1221,11 +1221,11 @@ COMPATNAME(rt_msg1)(int type, struct rt_addrinfo *rtinfo, void *data, int datale
 		m_copyback(m, len, sa->sa_len, sa);
 		if (dlen != sa->sa_len) {
 			/*
-			 * Up to 6 + 1 nul's since roundup is to
+			 * Up to 7 + 1 nul's since roundup is to
 			 * sizeof(uint64_t) (8 bytes)
 			 */
 			m_copyback(m, len + sa->sa_len,
-			    dlen - sa->sa_len, "\0\0\0\0\0\0");
+			    dlen - sa->sa_len, "\0\0\0\0\0\0\0");
 		}
 		len += dlen;
 	}