Author: delphij
Date: Thu Aug 22 00:51:37 2013
New Revision: 254629
URL: http://svnweb.freebsd.org/changeset/base/254629
Log:
Fix an integer overflow in computing the size of a temporary buffer
can result in a buffer which is too small for the requested
operation.
Security: CVE-2013-3077
Security: FreeBSD-SA-13:09.ip_multicast
Modified:
head/sys/netinet/in_mcast.c
head/sys/netinet6/in6_mcast.c
Changes in other areas also in this revision:
Modified:
stable/8/sys/netinet/in_mcast.c
stable/8/sys/netinet6/in6_mcast.c
stable/9/sys/netinet/in_mcast.c
stable/9/sys/netinet6/in6_mcast.c
Modified: head/sys/netinet/in_mcast.c
==============================================================================
--- head/sys/netinet/in_mcast.c Wed Aug 21 23:22:36 2013 (r254628)
+++ head/sys/netinet/in_mcast.c Thu Aug 22 00:51:37 2013 (r254629)
@@ -1648,6 +1648,8 @@ inp_get_source_filters(struct inpcb *inp
* has asked for, but we always tell userland how big the
* buffer really needs to be.
*/
+ if (msfr.msfr_nsrcs > in_mcast_maxsocksrc)
+ msfr.msfr_nsrcs = in_mcast_maxsocksrc;
tss = NULL;
if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
Modified: head/sys/netinet6/in6_mcast.c
==============================================================================
--- head/sys/netinet6/in6_mcast.c Wed Aug 21 23:22:36 2013
(r254628)
+++ head/sys/netinet6/in6_mcast.c Thu Aug 22 00:51:37 2013
(r254629)
@@ -1625,6 +1625,8 @@ in6p_get_source_filters(struct inpcb *in
* has asked for, but we always tell userland how big the
* buffer really needs to be.
*/
+ if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc)
+ msfr.msfr_nsrcs = in6_mcast_maxsocksrc;
tss = NULL;
if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
