Title: NetBSD sendmsg Denial of Service Vulnerability
Severity: MODERATE
Description:
A potential denial of service vulnerability exists in the NetBSD kernel.
The problem is the result of an input validation error in the sendmsg(2) function and is due to insufficient length checking on the 'msg_controllen' member of the 'msghdr' structure.
The msghdr structure contains most of the arguments for the sendmsg() function. This includes the msg_controllen variable, which is used to specify the size of any optional ancillary data (or control information) that should be sent with a message. The variable is then used by the kernel to read the control information (pointed to by another member, 'msg_control') into kernel space.
Because the kernel fails to check the length given with the msg_controllen member, it is possible to cause a page fault trap or 'out of space in kmem_map' kernel panic if the value is sized to a large enough value.
Affected Products:
- NetBSD NetBSD 1.3.0
- NetBSD NetBSD 1.3.1
- NetBSD NetBSD 1.3.2
- NetBSD NetBSD 1.3.3
- NetBSD NetBSD 1.4.0
- NetBSD NetBSD 1.4.1
- NetBSD NetBSD 1.4.2
- NetBSD NetBSD 1.4.3
- NetBSD NetBSD 1.5.0
- NetBSD NetBSD current pre20010701
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
