From d76e7522dbd5a22c4cc16f04b56cd85b9e80f4d4 Mon Sep 17 00:00:00 2001 From: delphij Date: Thu, 22 Aug 2013 00:51:37 +0000 Subject: Fix an integer overflow in computing the size of a temporary buffer can result in a buffer which is too small for the requested operation. Security: CVE-2013-3077 Security: FreeBSD-SA-13:09.ip_multicast --- sys/netinet/in_mcast.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'sys/netinet/in_mcast.c') diff --git a/sys/netinet/in_mcast.c b/sys/netinet/in_mcast.c index 31f2fe1..8022c69 100644 --- a/sys/netinet/in_mcast.c +++ b/sys/netinet/in_mcast.c @@ -1648,6 +1648,8 @@ inp_get_source_filters(struct inpcb *inp, struct sockopt *sopt) * has asked for, but we always tell userland how big the * buffer really needs to be. */ + if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) + msfr.msfr_nsrcs = in_mcast_maxsocksrc; tss = NULL; if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) { tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, -- cgit v1.1