Validate that user supplied control message length is not negative.

Submitted by: C Turt <cturt hardenedbsd.org> Security: SA-16:19 Security: CVE-2016-1887
svn path=/head/; revision=300090
2016-05-17 22:28:53 +00:00 · 2016-05-17 22:28:53 +00:00 · 7349ea785c · 2020-12-20 02:59:44 +00:00
commit 7349ea785c
parent c9d2719027
1 changed files with 3 additions and 0 deletions
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@ -1699,6 +1699,9 @@ sockargs(mp, buf, buflen, type)
 	struct mbuf *m;
 	int error;

+	if (buflen < 0)
+		return (EINVAL);
+
 	if (buflen > MLEN) {
 #ifdef COMPAT_OLDSOCK
 		if (type == MT_SONAME && buflen <= 112)