K 10
svn:author
V 4
ngie
K 8
svn:date
V 27
2016-06-10T18:02:51.977521Z
K 7
svn:log
V 638
MFC r299507:
r299507 (by cem):

rtadvd(8): Fix a typo in full msg receive logic

Check against the size of the struct, not the pointer.  Previously, a message
with a cm_len between 9 and 23 (inclusive) could cause int msglen to underflow
and read(2) to be invoked with msglen size (implicitly cast to signed),
overrunning the caller-provided buffer.

All users of cm_recv() supply a stack buffer.

On the other hand, the rtadvd control socket appears to only be writable by the
owner, who is probably root.

While here, correct some types to be size_t or ssize_t.

CID:		1008477
Security:	unix socket remotes may overflow stack in rtadvd

END