svn commit: r281228 - head/sys/netinet
Xin LI
delphij at FreeBSD.org
Tue Apr 7 20:20:04 UTC 2015
Author: delphij
Date: Tue Apr 7 20:20:03 2015
New Revision: 281228
URL: https://svnweb.freebsd.org/changeset/base/281228
Log:
Improve patch for SA-15:04.igmp to solve a potential buffer overflow.
Reported by: bde
Submitted by: oshogbo
Modified:
head/sys/netinet/igmp.c
Modified: head/sys/netinet/igmp.c
==============================================================================
--- head/sys/netinet/igmp.c Tue Apr 7 19:46:18 2015 (r281227)
+++ head/sys/netinet/igmp.c Tue Apr 7 20:20:03 2015 (r281228)
@@ -1540,7 +1540,6 @@ igmp_input(struct mbuf **mp, int *offp,
struct igmpv3 *igmpv3;
uint16_t igmpv3len;
uint16_t nsrc;
- int srclen;
IGMPSTAT_INC(igps_rcv_v3_queries);
igmpv3 = (struct igmpv3 *)igmp;
@@ -1548,8 +1547,8 @@ igmp_input(struct mbuf **mp, int *offp,
* Validate length based on source count.
*/
nsrc = ntohs(igmpv3->igmp_numsrc);
- srclen = sizeof(struct in_addr) * nsrc;
- if (nsrc * sizeof(in_addr_t) > srclen) {
+ if (nsrc * sizeof(in_addr_t) >
+ UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) {
IGMPSTAT_INC(igps_rcv_tooshort);
return (IPPROTO_DONE);
}
@@ -1558,7 +1557,7 @@ igmp_input(struct mbuf **mp, int *offp,
* this scope.
*/
igmpv3len = iphlen + IGMP_V3_QUERY_MINLEN +
- srclen;
+ sizeof(struct in_addr) * nsrc;
if ((!M_WRITABLE(m) ||
m->m_len < igmpv3len) &&
(m = m_pullup(m, igmpv3len)) == NULL) {
More information about the svn-src-head
mailing list