Improve patch for SA-15:04.igmp to solve a potential buffer overflow.

Reported by:	bde
Submitted by:	oshogbo

1 files changed, 3 insertions, 4 deletions

diff --git a/sys/netinet/igmp.c b/sys/netinet/igmp.c
index 986ee3c..a094a49 100644
--- a/sys/netinet/igmp.c
+++ b/sys/netinet/igmp.c
@@ -1540,7 +1540,6 @@ igmp_input(struct mbuf **mp, int *offp, int proto)
 				struct igmpv3 *igmpv3;
 				uint16_t igmpv3len;
 				uint16_t nsrc;
-				int srclen;
 
 				IGMPSTAT_INC(igps_rcv_v3_queries);
 				igmpv3 = (struct igmpv3 *)igmp;
@@ -1548,8 +1547,8 @@ igmp_input(struct mbuf **mp, int *offp, int proto)
 				 * Validate length based on source count.
 				 */
 				nsrc = ntohs(igmpv3->igmp_numsrc);
-				srclen = sizeof(struct in_addr) * nsrc;
-				if (nsrc * sizeof(in_addr_t) > srclen) {
+				if (nsrc * sizeof(in_addr_t) >
+				    UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) {
 					IGMPSTAT_INC(igps_rcv_tooshort);
 					return (IPPROTO_DONE);
 				}
@@ -1558,7 +1557,7 @@ igmp_input(struct mbuf **mp, int *offp, int proto)
 				 * this scope.
 				 */
 				igmpv3len = iphlen + IGMP_V3_QUERY_MINLEN +
-				    srclen;
+				   sizeof(struct in_addr) * nsrc;
 				if ((!M_WRITABLE(m) ||
 				     m->m_len < igmpv3len) &&
 				    (m = m_pullup(m, igmpv3len)) == NULL) {