d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improve patch for SA-15:04.igmp to solve a potential buffer overflow.

Browse Source 
Reported by:	bde
Submitted by:	oshogbo
This commit is contained in:
Xin LI 2015-04-07 20:20:03 +00:00
parent 10e69389b6
commit edc76c95db
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=281228
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
sys/netinet/igmp.c
View File

@ -1540,7 +1540,6 @@ igmp_input(struct mbuf **mp, int *offp, int proto)
struct igmpv3 *igmpv3;
uint16_t igmpv3len;
uint16_t nsrc;
int srclen;
IGMPSTAT_INC(igps_rcv_v3_queries);
igmpv3 = (struct igmpv3 *)igmp;
@ -1548,8 +1547,8 @@ igmp_input(struct mbuf **mp, int *offp, int proto)
* Validate length based on source count.
*/
nsrc = ntohs(igmpv3->igmp_numsrc);
srclen = sizeof(struct in_addr) * nsrc;
if (nsrc * sizeof(in_addr_t) > srclen) {
if (nsrc * sizeof(in_addr_t) >
UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) {
IGMPSTAT_INC(igps_rcv_tooshort);
return (IPPROTO_DONE);
}
@ -1558,7 +1557,7 @@ igmp_input(struct mbuf **mp, int *offp, int proto)
* this scope.
*/
igmpv3len = iphlen + IGMP_V3_QUERY_MINLEN +
srclen;
sizeof(struct in_addr) * nsrc;
if ((!M_WRITABLE(m) ||
m->m_len < igmpv3len) &&
(m = m_pullup(m, igmpv3len)) == NULL) {