[Midnightbsd-cvs] [MidnightBSD/src] 959fd3: The rtsock_msg_buffer() function serializes routin...
Lucas Holt
noreply at github.com
Tue Feb 24 20:03:30 EST 2026
Branch: refs/heads/stable/4.0
Home: https://github.com/MidnightBSD/src
Commit: 959fd3ff1e3f3f4df73d655364dd7e49c80874e0
https://github.com/MidnightBSD/src/commit/959fd3ff1e3f3f4df73d655364dd7e49c80874e0
Author: Lucas Holt <luke at foolishgames.com>
Date: 2026-02-24 (Tue, 24 Feb 2026)
Changed paths:
M sys/net/rtsock.c
Log Message:
-----------
The rtsock_msg_buffer() function serializes routing information into a buffer.
As a part of this, it copies sockaddr structures into a sockaddr_storage
structure on the stack. It assumes that the source sockaddr length field had
already been validated, but this is not necessarily the case, and it's possible
for a malicious userspace program to craft a request which triggers a 127-byte
overflow.
In practice, this overflow immediately overwrites the canary for the
rtsock_msg_buffer() stack frame, resulting in a panic once the function
returns.
Obtained from: FreeBSD
To unsubscribe from these emails, change your notification settings at https://github.com/MidnightBSD/src/settings/notifications
More information about the Midnightbsd-cvs
mailing list