diff options
author | delphij <delphij@FreeBSD.org> | 2013-08-22 00:51:37 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2013-08-22 00:51:37 +0000 |
commit | d76e7522dbd5a22c4cc16f04b56cd85b9e80f4d4 (patch) | |
tree | d5b81b0b956190de4676641328c148694eaf526f /sys/netinet/in_mcast.c | |
parent | c7af094e18c4e4ca2a26a88c488a803472d330ee (diff) | |
download | FreeBSD-src-d76e7522dbd5a22c4cc16f04b56cd85b9e80f4d4.zip FreeBSD-src-d76e7522dbd5a22c4cc16f04b56cd85b9e80f4d4.tar.gz |
Fix an integer overflow in computing the size of a temporary buffer
can result in a buffer which is too small for the requested
operation.
Security: CVE-2013-3077
Security: FreeBSD-SA-13:09.ip_multicast
Diffstat (limited to 'sys/netinet/in_mcast.c')
-rw-r--r-- | sys/netinet/in_mcast.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/netinet/in_mcast.c b/sys/netinet/in_mcast.c index 31f2fe1..8022c69 100644 --- a/sys/netinet/in_mcast.c +++ b/sys/netinet/in_mcast.c @@ -1648,6 +1648,8 @@ inp_get_source_filters(struct inpcb *inp, struct sockopt *sopt) * has asked for, but we always tell userland how big the * buffer really needs to be. */ + if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) + msfr.msfr_nsrcs = in_mcast_maxsocksrc; tss = NULL; if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) { tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, |