Synopsis: Insufficient msg_controllen checking for sendmsg(2) NetBSD versions: 1.3, 1.4, 1.4.1, 1.4.2, 1.4.3, 1.5 Thanks to: Jaromir Dolecek and Matt Thomas Reported in NetBSD Security Advisory: NetBSD-SA2001-011 Index: sys/kern/uipc_syscalls.c =================================================================== RCS file: /cvsroot/syssrc/sys/kern/uipc_syscalls.c,v retrieving revision 1.52.4.1 retrieving revision 1.52.4.2 diff -p -p -c -r1.52.4.1 -r1.52.4.2 *** sys/kern/uipc_syscalls.c 2000/12/15 00:09:10 1.52.4.1 --- sys/kern/uipc_syscalls.c 2001/07/02 13:41:41 1.52.4.2 *************** sockargs(mp, buf, buflen, type) *** 1113,1121 **** /* * We can't allow socket names > UCHAR_MAX in length, since that ! * will overflow sa_len. */ ! if (type == MT_SONAME && (u_int)buflen > UCHAR_MAX) return (EINVAL); /* Allocate an mbuf to hold the arguments. */ --- 1113,1122 ---- /* * We can't allow socket names > UCHAR_MAX in length, since that ! * will overflow sa_len. Control data more than a page size in ! * length is just too much. */ ! if ((u_int)buflen > (type == MT_SONAME ? UCHAR_MAX : PAGE_SIZE)) return (EINVAL); /* Allocate an mbuf to hold the arguments. */