Module Name: src
Committed By: riastradh
Date: Sat Mar 12 16:19:08 UTC 2022
Modified Files:
src/sys/net: bpf.c
Log Message:
bpf(4): Clamp read timeout to INT_MAX ticks to avoid overflow.
Reported-by: syzbot+c543d35064d3492b9...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.243 -r1.244 src/sys/net/bpf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/bpf.c
diff -u src/sys/net/bpf.c:1.243 src/sys/net/bpf.c:1.244
--- src/sys/net/bpf.c:1.243 Sun Sep 26 01:16:10 2021
+++ src/sys/net/bpf.c Sat Mar 12 16:19:08 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: bpf.c,v 1.243 2021/09/26 01:16:10 thorpej Exp $ */
+/* $NetBSD: bpf.c,v 1.244 2022/03/12 16:19:08 riastradh Exp $ */
/*
* Copyright (c) 1990, 1991, 1993
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.243 2021/09/26 01:16:10 thorpej Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.244 2022/03/12 16:19:08 riastradh Exp $");
#if defined(_KERNEL_OPT)
#include "opt_bpf.h"
@@ -1152,7 +1152,12 @@ bpf_ioctl(struct file *fp, u_long cmd, v
struct timeval *tv = addr;
/* Compute number of ticks. */
- d->bd_rtout = tv->tv_sec * hz + tv->tv_usec / tick;
+ if (tv->tv_sec > INT_MAX/hz - 1) {
+ d->bd_rtout = INT_MAX;
+ } else {
+ d->bd_rtout = tv->tv_sec * hz
+ + tv->tv_usec / tick;
+ }
if ((d->bd_rtout == 0) && (tv->tv_usec != 0))
d->bd_rtout = 1;
break;
@@ -1181,7 +1186,12 @@ bpf_ioctl(struct file *fp, u_long cmd, v
struct timeval50 *tv = addr;
/* Compute number of ticks. */
- d->bd_rtout = tv->tv_sec * hz + tv->tv_usec / tick;
+ if (tv->tv_sec > INT_MAX/hz - 1) {
+ d->bd_rtout = INT_MAX;
+ } else {
+ d->bd_rtout = tv->tv_sec * hz
+ + tv->tv_usec / tick;
+ }
if ((d->bd_rtout == 0) && (tv->tv_usec != 0))
d->bd_rtout = 1;
break;
