From 78dd3921ca9d34364c15bb4d55a63696968c5dde Mon Sep 17 00:00:00 2001
From: bz <bz@FreeBSD.org>
Date: Wed, 3 Sep 2008 08:13:58 +0000
Subject: Fix a bug, when a specially crafted ICMPV6 MLD packet could lead to
 an integer divide by zero panic in the kernel, if the kernel was run with
 hz<1000. Neither i386, pc98, amd64 or sparc64 are affected in the currently
 supported branches and default configuration.

Submitted by:	Miikka Saukko, Ossi Herrala and Jukka Taimisto from
		the CROSS project at Codenomicon Ltd. via CERT-FI.
Reviewed by:	bz, rwatson
Security:	CVE-2008-2464
MFC after:	8 hours
---
 sys/netinet6/mld6.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'sys/netinet6/mld6.c')

diff --git a/sys/netinet6/mld6.c b/sys/netinet6/mld6.c
index 661724f..1216d95 100644
--- a/sys/netinet6/mld6.c
+++ b/sys/netinet6/mld6.c
@@ -275,7 +275,7 @@ mld6_input(struct mbuf *m, int off)
 	struct in6_addr mld_addr, all_in6;
 	struct in6_ifaddr *ia;
 	struct ifmultiaddr *ifma;
-	int timer;		/* timer value in the MLD query header */
+	u_long timer;		/* timer value in the MLD query header */
 
 #ifndef PULLDOWN_TEST
 	IP6_EXTHDR_CHECK(m, off, sizeof(*mldh),);
@@ -391,9 +391,9 @@ mld6_input(struct mbuf *m, int off)
 					in6m->in6m_state = MLD_IREPORTEDLAST;
 				}
 				else if (in6m->in6m_timer == IN6M_TIMER_UNDEF ||
-				    mld_timerresid(in6m) > (u_long)timer) {
-					in6m->in6m_timer = arc4random() %
-					    (int)((long)(timer * hz) / 1000);
+				    mld_timerresid(in6m) > timer) {
+					in6m->in6m_timer =
+					   1 + (arc4random() % timer) * hz / 1000;
 					mld_starttimer(in6m);
 				}
 			}
-- 
cgit v1.1