Take into account possible overflow when multiplying. The casuality is

the malloc call later, panicing kernel due to the oversized allocation. Reported by: pho Reviewed by: jeff
author: kib <kib@FreeBSD.org> 2008-05-26 10:01:13 +0000
committer: kib <kib@FreeBSD.org> 2008-05-26 10:01:13 +0000
commit: 5941eb261965ba0766bdcb4ed80bbb8efd3f1705 (patch)
tree: e5b55007286958936696a3e77c9d6f30118009c6 /sys/kern/kern_cpuset.c
parent: 449e5df4dce72beb8ccfe1d977d585a96abb2fe2 (diff)
download: FreeBSD-src-5941eb261965ba0766bdcb4ed80bbb8efd3f1705.zip
FreeBSD-src-5941eb261965ba0766bdcb4ed80bbb8efd3f1705.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/kern/kern_cpuset.c b/sys/kern/kern_cpuset.c
index 22b6677..1a2495e 100644
--- a/sys/kern/kern_cpuset.c
+++ b/sys/kern/kern_cpuset.c
@@ -805,7 +805,7 @@ cpuset_getaffinity(struct thread *td, struct cpuset_getaffinity_args *uap)
 	size_t size;
 
 	if (uap->cpusetsize < sizeof(cpuset_t) ||
-	    uap->cpusetsize * NBBY > CPU_MAXSIZE)
+	    uap->cpusetsize > CPU_MAXSIZE / NBBY)
 		return (ERANGE);
 	size = uap->cpusetsize;
 	mask = malloc(size, M_TEMP, M_WAITOK | M_ZERO);
@@ -892,7 +892,7 @@ cpuset_setaffinity(struct thread *td, struct cpuset_setaffinity_args *uap)
 	int error;
 
 	if (uap->cpusetsize < sizeof(cpuset_t) ||
-	    uap->cpusetsize * NBBY > CPU_MAXSIZE)
+	    uap->cpusetsize > CPU_MAXSIZE / NBBY)
 		return (ERANGE);
 	mask = malloc(uap->cpusetsize, M_TEMP, M_WAITOK | M_ZERO);
 	error = copyin(uap->mask, mask, uap->cpusetsize);
author	kib <kib@FreeBSD.org>	2008-05-26 10:01:13 +0000
committer	kib <kib@FreeBSD.org>	2008-05-26 10:01:13 +0000
commit	5941eb261965ba0766bdcb4ed80bbb8efd3f1705 (patch)
tree	e5b55007286958936696a3e77c9d6f30118009c6 /sys/kern/kern_cpuset.c
parent	449e5df4dce72beb8ccfe1d977d585a96abb2fe2 (diff)
download	FreeBSD-src-5941eb261965ba0766bdcb4ed80bbb8efd3f1705.zip FreeBSD-src-5941eb261965ba0766bdcb4ed80bbb8efd3f1705.tar.gz