Synopsis: Insufficient msg_controllen checking for sendmsg(2)
NetBSD versions: 1.3, 1.4, 1.4.1, 1.4.2, 1.4.3, 1.5
Thanks to: Jaromir Dolecek and Matt Thomas
Reported in NetBSD Security Advisory: NetBSD-SA2001-011

Index: sys/kern/uipc_syscalls.c
===================================================================
RCS file: /cvsroot/syssrc/sys/kern/uipc_syscalls.c,v
retrieving revision 1.52.4.1
retrieving revision 1.52.4.2
diff -p -p -c -r1.52.4.1 -r1.52.4.2
*** sys/kern/uipc_syscalls.c	2000/12/15 00:09:10	1.52.4.1
--- sys/kern/uipc_syscalls.c	2001/07/02 13:41:41	1.52.4.2
*************** sockargs(mp, buf, buflen, type)
*** 1113,1121 ****
  
  	/*
  	 * We can't allow socket names > UCHAR_MAX in length, since that
! 	 * will overflow sa_len.
  	 */
! 	if (type == MT_SONAME && (u_int)buflen > UCHAR_MAX)
  		return (EINVAL);
  
  	/* Allocate an mbuf to hold the arguments. */
--- 1113,1122 ----
  
  	/*
  	 * We can't allow socket names > UCHAR_MAX in length, since that
! 	 * will overflow sa_len.   Control data more than a page size in
! 	 * length is just too much.
  	 */
! 	if ((u_int)buflen > (type == MT_SONAME ? UCHAR_MAX : PAGE_SIZE))
  		return (EINVAL);
  
  	/* Allocate an mbuf to hold the arguments. */