From 5cf82a5b30bb2361bb360fd663c089c95c523c4a Mon Sep 17 00:00:00 2001 From: delphij Date: Thu, 22 Aug 2013 00:51:43 +0000 Subject: [PATCH] Fix an integer overflow in computing the size of a temporary buffer can result in a buffer which is too small for the requested operation. Security: CVE-2013-3077 Security: FreeBSD-SA-13:09.ip_multicast Approved by: re (kib) git-svn-id: svn://svn.freebsd.org/base/releng/9.2@254630 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- sys/netinet/in_mcast.c | 2 ++ sys/netinet6/in6_mcast.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/sys/netinet/in_mcast.c b/sys/netinet/in_mcast.c index 812ca674..813fa3d5 100644 --- a/sys/netinet/in_mcast.c +++ b/sys/netinet/in_mcast.c @@ -1614,6 +1614,8 @@ inp_get_source_filters(struct inpcb *inp, struct sockopt *sopt) * has asked for, but we always tell userland how big the * buffer really needs to be. */ + if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) + msfr.msfr_nsrcs = in_mcast_maxsocksrc; tss = NULL; if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) { tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, diff --git a/sys/netinet6/in6_mcast.c b/sys/netinet6/in6_mcast.c index ce23aa8c..fca48b5c 100644 --- a/sys/netinet6/in6_mcast.c +++ b/sys/netinet6/in6_mcast.c @@ -1625,6 +1625,8 @@ in6p_get_source_filters(struct inpcb *inp, struct sockopt *sopt) * has asked for, but we always tell userland how big the * buffer really needs to be. */ + if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) + msfr.msfr_nsrcs = in6_mcast_maxsocksrc; tss = NULL; if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) { tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, -- 2.42.0