From d5c97915ca881f925236c58bd1704de34e4f183f Mon Sep 17 00:00:00 2001
From: glebius <glebius@FreeBSD.org>
Date: Tue, 17 May 2016 22:28:11 +0000
Subject: - Use unsigned version of min() when handling arguments of SETFKEY
 ioctl. - Validate that user supplied control message length in sendmsg(2)  
 is not negative.

Security:	SA-16:18
Security:	CVE-2016-1886
Security:	SA-16:19
Security:	CVE-2016-1887
Submitted by:	C Turt <cturt hardenedbsd.org>
Approved by:	so
---
 UPDATING                 | 7 +++++++
 sys/conf/newvers.sh      | 2 +-
 sys/dev/kbd/kbd.c        | 2 +-
 sys/kern/uipc_syscalls.c | 3 +++
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/UPDATING b/UPDATING
index a4706e2..2e33b54 100644
--- a/UPDATING
+++ b/UPDATING
@@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20160517	p34	FreeBSD-SA-16:18.atkbd
+			FreeBSD-SA-16:19.sendmsg
+
+	Fix buffer overflow in keyboard driver. [SA-16:18]
+
+	Fix incorrect argument handling in sendmsg(2). [SA-16:19]
+
 20160504	p33	FreeBSD-SA-16:17.openssl
 			FreeBSD-EN-16:08.zfs
 
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 19e2a70..2284778 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.1"
-BRANCH="RELEASE-p33"
+BRANCH="RELEASE-p34"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
diff --git a/sys/dev/kbd/kbd.c b/sys/dev/kbd/kbd.c
index 8036762..f1a1b29 100644
--- a/sys/dev/kbd/kbd.c
+++ b/sys/dev/kbd/kbd.c
@@ -996,7 +996,7 @@ genkbd_commonioctl(keyboard_t *kbd, u_long cmd, caddr_t arg)
 			splx(s);
 			return (error);
 		}
-		kbd->kb_fkeytab[fkeyp->keynum].len = imin(fkeyp->flen, MAXFK);
+		kbd->kb_fkeytab[fkeyp->keynum].len = min(fkeyp->flen, MAXFK);
 		bcopy(fkeyp->keydef, kbd->kb_fkeytab[fkeyp->keynum].str,
 		    kbd->kb_fkeytab[fkeyp->keynum].len);
 		break;
diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 5fd4821..60a1f8f 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -1787,6 +1787,9 @@ sockargs(mp, buf, buflen, type)
 	struct mbuf *m;
 	int error;
 
+	if (buflen < 0)
+		return (EINVAL);
+
 	if (buflen > MLEN) {
 #ifdef COMPAT_OLDSOCK
 		if (type == MT_SONAME && buflen <= 112)
-- 
cgit v1.1