diff options
| author | delphij <delphij@FreeBSD.org> | 2013-08-22 00:51:37 +0000 |
|---|---|---|
| committer | delphij <delphij@FreeBSD.org> | 2013-08-22 00:51:37 +0000 |
| commit | d76e7522dbd5a22c4cc16f04b56cd85b9e80f4d4 (patch) | |
| tree | d5b81b0b956190de4676641328c148694eaf526f /sys/netinet6 | |
| parent | c7af094e18c4e4ca2a26a88c488a803472d330ee (diff) | |
| download | FreeBSD-src-d76e7522dbd5a22c4cc16f04b56cd85b9e80f4d4.zip FreeBSD-src-d76e7522dbd5a22c4cc16f04b56cd85b9e80f4d4.tar.gz | |
Fix an integer overflow in computing the size of a temporary buffer
can result in a buffer which is too small for the requested
operation.
Security: CVE-2013-3077
Security: FreeBSD-SA-13:09.ip_multicast
Diffstat (limited to 'sys/netinet6')
| -rw-r--r-- | sys/netinet6/in6_mcast.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/netinet6/in6_mcast.c b/sys/netinet6/in6_mcast.c index ce23aa8..fca48b5 100644 --- a/sys/netinet6/in6_mcast.c +++ b/sys/netinet6/in6_mcast.c @@ -1625,6 +1625,8 @@ in6p_get_source_filters(struct inpcb *inp, struct sockopt *sopt) * has asked for, but we always tell userland how big the * buffer really needs to be. */ + if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) + msfr.msfr_nsrcs = in6_mcast_maxsocksrc; tss = NULL; if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) { tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, |
