From: mvs <mvs@openbsd.org>
Date: Thu, 27 Jul 2023 22:20:51 +0000 (+0000)
Subject: Fix routing message size check in route_output(). `rtm_hdrlen' type is
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=700cb63dd145df2d3621516f354e250e8e48db9d;p=openbsd

Fix routing message size check in route_output(). `rtm_hdrlen' type is
u_short, so add sizeof(rtm->rtm_hdrlen) instead of 1 to its offset
within rt_msghdr structure.

ok claudio
---

diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index 0622f40bb31..528cd08a955 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rtsock.c,v 1.367 2023/06/26 07:52:18 claudio Exp $	*/
+/*	$OpenBSD: rtsock.c,v 1.368 2023/07/27 22:20:51 mvs Exp $	*/
 /*	$NetBSD: rtsock.c,v 1.18 1996/03/29 00:32:10 cgd Exp $	*/
 
 /*
@@ -705,7 +705,8 @@ route_output(struct mbuf *m, struct socket *so)
 	sounlock(so);
 
 	len = m->m_pkthdr.len;
-	if (len < offsetof(struct rt_msghdr, rtm_hdrlen) + 1 ||
+	if (len < offsetof(struct rt_msghdr, rtm_hdrlen) +
+	    sizeof(rtm->rtm_hdrlen) ||
 	    len != mtod(m, struct rt_msghdr *)->rtm_msglen) {
 		error = EINVAL;
 		goto fail;