From 8658b626fa4839231ea8f05fc9349eb29777ab1d Mon Sep 17 00:00:00 2001
From: Stathis Kamperis <beket@dragonflybsd.org>
Date: Sat, 23 Jan 2010 13:29:53 +0200
Subject: [PATCH] mqueues: Add sysctl for max message count in a queue.

A user could set mq_maxmsg (the maximal number of messages in a queue)
to a huge value on mq_open(O_CREAT) and later use up all kernel memory
by abusing mq_send(), resulting in a denial of service attack.

Add a sysctl'able limit which defaults to 16*mq_def_maxmsg.

Taken from NetBSD.
---
 sys/kern/sys_mqueue.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sys/kern/sys_mqueue.c b/sys/kern/sys_mqueue.c
index 059fb0b416..2b1fc17833 100644
--- a/sys/kern/sys_mqueue.c
+++ b/sys/kern/sys_mqueue.c
@@ -76,6 +76,7 @@ static u_int			mq_open_max = MQ_OPEN_MAX;
 static u_int			mq_prio_max = MQ_PRIO_MAX;
 static u_int			mq_max_msgsize = 16 * MQ_DEF_MSGSIZE;
 static u_int			mq_def_maxmsg = 32;
+static u_int			mq_max_maxmsg = 16 * 32;
 
 struct lock			mqlist_mtx;
 static struct objcache *	mqmsg_cache;
@@ -438,7 +439,9 @@ sys_mq_open(struct mq_open_args *uap)
 				kfree(name, M_MQBUF);
 				return error;
 			}
-			if (attr.mq_maxmsg <= 0 || attr.mq_msgsize <= 0 ||
+			if (attr.mq_maxmsg <= 0 ||
+			    attr.mq_maxmsg > mq_max_maxmsg ||
+			    attr.mq_msgsize <= 0 ||
 			    attr.mq_msgsize > mq_max_msgsize) {
 				kfree(name, M_MQBUF);
 				return EINVAL;
@@ -1122,4 +1125,8 @@ SYSCTL_INT(_kern_mqueue, OID_AUTO, mq_def_maxmsg,
     CTLFLAG_RW, &mq_def_maxmsg, 0,
     "Default maximal message count");
 
+SYSCTL_INT(_kern_mqueue, OID_AUTO, mq_max_maxmsg,
+    CTLFLAG_RW, &mq_max_maxmsg, 0,
+    "Maximal allowed message count");
+
 SYSINIT(sys_mqueue_init, SI_SUB_PRE_DRIVERS, SI_ORDER_ANY, mqueue_sysinit, NULL);
-- 
2.41.0