diff options
author | delphij <delphij@FreeBSD.org> | 2015-04-07 20:20:03 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2015-04-07 20:20:03 +0000 |
commit | 4836e6055cc9e422bd1364e5e7b47dd5f0c9e0e4 (patch) | |
tree | 2fc26d730609f7b9268bed41bec00cbdf75cca35 | |
parent | 4691664bd613abf1cf77ab8c3ec8bd47f4e7018e (diff) | |
download | FreeBSD-src-4836e6055cc9e422bd1364e5e7b47dd5f0c9e0e4.zip FreeBSD-src-4836e6055cc9e422bd1364e5e7b47dd5f0c9e0e4.tar.gz |
Improve patch for SA-15:04.igmp to solve a potential buffer overflow.
Reported by: bde
Submitted by: oshogbo
-rw-r--r-- | sys/netinet/igmp.c | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/sys/netinet/igmp.c b/sys/netinet/igmp.c index 986ee3c..a094a49 100644 --- a/sys/netinet/igmp.c +++ b/sys/netinet/igmp.c @@ -1540,7 +1540,6 @@ igmp_input(struct mbuf **mp, int *offp, int proto) struct igmpv3 *igmpv3; uint16_t igmpv3len; uint16_t nsrc; - int srclen; IGMPSTAT_INC(igps_rcv_v3_queries); igmpv3 = (struct igmpv3 *)igmp; @@ -1548,8 +1547,8 @@ igmp_input(struct mbuf **mp, int *offp, int proto) * Validate length based on source count. */ nsrc = ntohs(igmpv3->igmp_numsrc); - srclen = sizeof(struct in_addr) * nsrc; - if (nsrc * sizeof(in_addr_t) > srclen) { + if (nsrc * sizeof(in_addr_t) > + UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) { IGMPSTAT_INC(igps_rcv_tooshort); return (IPPROTO_DONE); } @@ -1558,7 +1557,7 @@ igmp_input(struct mbuf **mp, int *offp, int proto) * this scope. */ igmpv3len = iphlen + IGMP_V3_QUERY_MINLEN + - srclen; + sizeof(struct in_addr) * nsrc; if ((!M_WRITABLE(m) || m->m_len < igmpv3len) && (m = m_pullup(m, igmpv3len)) == NULL) { |