diff options
author | Xin LI <delphij@FreeBSD.org> | 2013-08-22 00:51:43 +0000 |
---|---|---|
committer | Xin LI <delphij@FreeBSD.org> | 2013-08-22 00:51:43 +0000 |
commit | bbd43032eef48d75caed5f272dbf2b1794613e4b (patch) | |
tree | d5b5e0ee7a42978e4eca8dedb5ab4c51696dfb6a | |
parent | d94e0506bc7f0cfc27fd476a6f38fa46d9778628 (diff) | |
download | src-bbd43032eef48d75caed5f272dbf2b1794613e4b.tar.gz src-bbd43032eef48d75caed5f272dbf2b1794613e4b.zip |
Fix an integer overflow in computing the size of a temporary buffer
can result in a buffer which is too small for the requested
operation.
Security: CVE-2013-3077
Security: FreeBSD-SA-13:09.ip_multicast
Approved by: re (kib)
Notes
Notes:
svn path=/releng/9.2/; revision=254630
-rw-r--r-- | sys/netinet/in_mcast.c | 2 | ||||
-rw-r--r-- | sys/netinet6/in6_mcast.c | 2 |
2 files changed, 4 insertions, 0 deletions
diff --git a/sys/netinet/in_mcast.c b/sys/netinet/in_mcast.c index 812ca674c96b..813fa3d57cfe 100644 --- a/sys/netinet/in_mcast.c +++ b/sys/netinet/in_mcast.c @@ -1614,6 +1614,8 @@ inp_get_source_filters(struct inpcb *inp, struct sockopt *sopt) * has asked for, but we always tell userland how big the * buffer really needs to be. */ + if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) + msfr.msfr_nsrcs = in_mcast_maxsocksrc; tss = NULL; if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) { tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, diff --git a/sys/netinet6/in6_mcast.c b/sys/netinet6/in6_mcast.c index ce23aa8c34c2..fca48b5c6d60 100644 --- a/sys/netinet6/in6_mcast.c +++ b/sys/netinet6/in6_mcast.c @@ -1625,6 +1625,8 @@ in6p_get_source_filters(struct inpcb *inp, struct sockopt *sopt) * has asked for, but we always tell userland how big the * buffer really needs to be. */ + if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) + msfr.msfr_nsrcs = in6_mcast_maxsocksrc; tss = NULL; if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) { tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, |