Fix an integer overflow in computing the size of a temporary buffer
can result in a buffer which is too small for the requested operation. Security: CVE-2013-3077 Security: FreeBSD-SA-13:09.ip_multicast
This commit is contained in:
parent
7da1a731c6
commit
acde2476c4
@ -1648,6 +1648,8 @@ inp_get_source_filters(struct inpcb *inp, struct sockopt *sopt)
|
||||
* has asked for, but we always tell userland how big the
|
||||
* buffer really needs to be.
|
||||
*/
|
||||
if (msfr.msfr_nsrcs > in_mcast_maxsocksrc)
|
||||
msfr.msfr_nsrcs = in_mcast_maxsocksrc;
|
||||
tss = NULL;
|
||||
if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
|
||||
tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
|
||||
|
@ -1625,6 +1625,8 @@ in6p_get_source_filters(struct inpcb *inp, struct sockopt *sopt)
|
||||
* has asked for, but we always tell userland how big the
|
||||
* buffer really needs to be.
|
||||
*/
|
||||
if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc)
|
||||
msfr.msfr_nsrcs = in6_mcast_maxsocksrc;
|
||||
tss = NULL;
|
||||
if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
|
||||
tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
|
||||
|
Loading…
Reference in New Issue
Block a user