[Midnightbsd-cvs] src [6991] trunk/sys/netinet/igmp.c: fix a possible overflow issue
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Tue Apr 7 21:25:40 EDT 2015
Revision: 6991
http://svnweb.midnightbsd.org/src/?rev=6991
Author: laffer1
Date: 2015-04-07 21:25:39 -0400 (Tue, 07 Apr 2015)
Log Message:
-----------
fix a possible overflow issue
Modified Paths:
--------------
trunk/sys/netinet/igmp.c
Modified: trunk/sys/netinet/igmp.c
===================================================================
--- trunk/sys/netinet/igmp.c 2015-03-20 12:28:09 UTC (rev 6990)
+++ trunk/sys/netinet/igmp.c 2015-04-08 01:25:39 UTC (rev 6991)
@@ -1533,7 +1533,6 @@
struct igmpv3 *igmpv3;
uint16_t igmpv3len;
uint16_t nsrc;
- int srclen;
IGMPSTAT_INC(igps_rcv_v3_queries);
igmpv3 = (struct igmpv3 *)igmp;
@@ -1541,8 +1540,8 @@
* Validate length based on source count.
*/
nsrc = ntohs(igmpv3->igmp_numsrc);
- srclen = sizeof(struct in_addr) * nsrc;
- if (nsrc * sizeof(in_addr_t) > srclen) {
+ if (nsrc * sizeof(in_addr_t) >
+ UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) {
IGMPSTAT_INC(igps_rcv_tooshort);
return;
}
@@ -1551,7 +1550,7 @@
* this scope.
*/
igmpv3len = iphlen + IGMP_V3_QUERY_MINLEN +
- srclen;
+ sizeof(struct in_addr) * nsrc;
if ((m->m_flags & M_EXT ||
m->m_len < igmpv3len) &&
(m = m_pullup(m, igmpv3len)) == NULL) {
More information about the Midnightbsd-cvs
mailing list