From proff@profane.iq.org  Fri Jan 24 23:15:35 1997
Received: from profane.iq.org (profane.iq.org [203.4.184.217])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA22518;
          Fri, 24 Jan 1997 23:15:25 -0800 (PST)
Received: (from proff@localhost)
          by profane.iq.org (8.8.4/8.8.2) id SAA11589;
          Sat, 25 Jan 1997 18:15:47 +1100 (EST)
Message-Id: <199701250715.SAA11589@profane.iq.org>
Date: Sat, 25 Jan 1997 18:15:47 +1100 (EST)
From: Julian Assange <proff@iq.org>
Reply-To: proff@iq.org
To: FreeBSD-gnats-submit@freebsd.org, dyson@freebsd.org
Subject: patch for setsockopt(), opt data > MLEN
X-Send-Pr-Version: 3.2

>Number:         2575
>Category:       kern
>Synopsis:       patch for setsockopt(), opt data > MLEN
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    wollman
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 24 23:20:00 PST 1997
>Closed-Date:    Wed Apr 29 11:11:31 PDT 1998
>Last-Modified:  Wed Apr 29 11:12:52 PDT 1998
>Originator:     Julian Assange
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
>Environment:

	

>Description:

	setsockopt() transports user option data in an mbuf. if the user data
	is greater than MLEN, setsockopt is unable to pass it onto the protocol
	handler.

	

>How-To-Repeat:

	

>Fix:
	
	

Allocate a cluster if the option data is > MLEN; this gives us upto
2048 bytes of option data.

Index: src/sys/kern/uipc_syscalls.c
diff -u src/sys/kern/uipc_syscalls.c:1.20 src/sys/kern/uipc_syscalls.c:1.21
--- src/sys/kern/uipc_syscalls.c:1.20	Wed Oct 16 05:28:44 1996
+++ src/sys/kern/uipc_syscalls.c	Sat Jan  4 15:20:12 1997
@@ -31,7 +31,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)uipc_syscalls.c	8.4 (Berkeley) 2/21/94
- * $Id: uipc_syscalls.c,v 1.20 1996/10/15 19:28:44 wollman Exp $
+ * $Id: uipc_syscalls.c,v 1.21 1997/01/04 04:20:12 proff Exp $
  */
 
 #include "opt_ktrace.h"
@@ -981,12 +981,17 @@
 	error = getsock(p->p_fd, uap->s, &fp);
 	if (error)
 		return (error);
-	if (uap->valsize > MLEN)
+	if (uap->valsize > MCLBYTES)
 		return (EINVAL);
 	if (uap->val) {
 		m = m_get(M_WAIT, MT_SOOPTS);
 		if (m == NULL)
 			return (ENOBUFS);
+		if (uap->valsize > MLEN) {
+			MCLGET(m, M_WAIT);
+			if (!(m->m_flags & M_EXT))
+				return (ENOBUFS);
+		}
 		error = copyin(uap->val, mtod(m, caddr_t), (u_int)uap->valsize);
 		if (error) {
 			(void) m_free(m);
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->freebsd-bugs 
Responsible-Changed-By: mpp 
Responsible-Changed-When: Sat Jan 25 22:55:46 PST 1997 
Responsible-Changed-Why:  
Misfiled PR. 
State-Changed-From-To: open->closed 
State-Changed-By: phk 
State-Changed-When: Sat Apr 11 13:38:29 PDT 1998 
State-Changed-Why:  
applied, thanks.:x 
State-Changed-From-To: closed->suspended 
State-Changed-By: phk 
State-Changed-When: Sun Apr 12 01:11:38 PDT 1998 
State-Changed-Why:  

Actually, what is eventually supposed to happen (after I pop about 
five other projects off my stack) is that socket options are passed 
down in the kernel as uio structs, and don't get copied in until the 
appropriate lower layer has accepted them.  (This also eliminates yet 
another use of mbufs to hold something other than packet data.) 

-GAWollman 


Responsible-Changed-From-To: freebsd-bugs->wollman 
Responsible-Changed-By: phk 
Responsible-Changed-When: Sun Apr 12 01:11:38 PDT 1998 
Responsible-Changed-Why:  
see above 
State-Changed-From-To: suspended->closed 
State-Changed-By: julian 
State-Changed-When: Wed Apr 29 11:11:31 PDT 1998 
State-Changed-Why:  
patch applied to -current april '97 
>Unformatted:
