diff options
author | davide <davide@FreeBSD.org> | 2014-08-04 05:40:51 +0000 |
---|---|---|
committer | davide <davide@FreeBSD.org> | 2014-08-04 05:40:51 +0000 |
commit | 2df6a889b377191f22988233f698efda4300671b (patch) | |
tree | 78b8c6327f1b13744202a1935c8a1ec32ada2b2b | |
parent | f32f2c464b768d864a29e4befbd0252787201a62 (diff) | |
download | FreeBSD-src-2df6a889b377191f22988233f698efda4300671b.zip FreeBSD-src-2df6a889b377191f22988233f698efda4300671b.tar.gz |
Fix an overflow in getsockopt(). optval isn't big enough to hold
sbintime_t.
Re-introduce r255030 behaviour capping socket timeouts to INT_32
if they're too large.
CR: https://phabric.freebsd.org/D433
Reported by: demon
Reviewed by: bde [1], jhb [2]
MFC after: 2 weeks
-rw-r--r-- | sys/kern/uipc_socket.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c index 6abc37a..ddf52b0 100644 --- a/sys/kern/uipc_socket.c +++ b/sys/kern/uipc_socket.c @@ -2544,8 +2544,10 @@ sosetopt(struct socket *so, struct sockopt *sopt) error = EDOM; goto bad; } - val = tvtosbt(tv); - + if (tv.tv_sec > INT32_MAX) + val = SBT_MAX; + else + val = tvtosbt(tv); switch (sopt->sopt_name) { case SO_SNDTIMEO: so->so_snd.sb_timeo = val; @@ -2694,10 +2696,8 @@ integer: case SO_SNDTIMEO: case SO_RCVTIMEO: - optval = (sopt->sopt_name == SO_SNDTIMEO ? - so->so_snd.sb_timeo : so->so_rcv.sb_timeo); - - tv = sbttotv(optval); + tv = sbttotv(sopt->sopt_name == SO_SNDTIMEO ? + so->so_snd.sb_timeo : so->so_rcv.sb_timeo); #ifdef COMPAT_FREEBSD32 if (SV_CURPROC_FLAG(SV_ILP32)) { struct timeval32 tv32; |