K 10
svn:author
V 3
cem
K 8
svn:date
V 27
2016-05-12T03:37:17.667426Z
K 7
svn:log
V 672
rtadvd(8): Fix a typo in full msg receive logic

Check against the size of the struct, not the pointer.  Previously, a message
with a cm_len between 9 and 23 (inclusive) could cause int msglen to underflow
and read(2) to be invoked with msglen size (implicitly cast to signed),
overrunning the caller-provided buffer.

All users of cm_recv() supply a stack buffer.

On the other hand, the rtadvd control socket appears to only be writable by the
owner, who is probably root.

While here, correct some types to be size_t or ssize_t.

Reported by:	Coverity
CID:		1008477
Security:	unix socket remotes may overflow stack in rtadvd
Sponsored by:	EMC / Isilon Storage Division

END