MFstable/10 r301803:
MFC r299507:
r299507 (by cem):
rtadvd(8): Fix a typo in full msg receive logic
Check against the size of the struct, not the pointer. Previously, a message
with a cm_len between 9 and 23 (inclusive) could cause int msglen to underflow
and read(2) to be invoked with msglen size (implicitly cast to signed),
overrunning the caller-provided buffer.
All users of cm_recv() supply a stack buffer.
On the other hand, the rtadvd control socket appears to only be writable by the
owner, who is probably root.
While here, correct some types to be size_t or ssize_t.
CID:
1008477
Security: unix socket remotes may overflow stack in rtadvd
git-svn-id: svn://svn.freebsd.org/base/stable/9@301804
ccf9f872-aa2e-dd11-9fc8-
001c23d0bc1f
projects / FreeBSD / stable / 9.git / commit