Improve patch for SA-15:04.igmp to solve a potential buffer overflow.

Reported by: bde Submitted by: oshogbo
2015-04-07 20:20:03 +00:00 · 2015-04-07 20:20:03 +00:00 · edc76c95db
commit edc76c95db
parent 10e69389b6
1 changed files with 3 additions and 4 deletions
--- a/sys/netinet/igmp.c
+++ b/sys/netinet/igmp.c
@ -1540,7 +1540,6 @@ igmp_input(struct mbuf **mp, int *offp, int proto)
 				struct igmpv3 *igmpv3;
 				uint16_t igmpv3len;
 				uint16_t nsrc;
-				int srclen;

 				IGMPSTAT_INC(igps_rcv_v3_queries);
 				igmpv3 = (struct igmpv3 *)igmp;
@ -1548,8 +1547,8 @@ igmp_input(struct mbuf **mp, int *offp, int proto)
 				 * Validate length based on source count.
 				 */
 				nsrc = ntohs(igmpv3->igmp_numsrc);
-				srclen = sizeof(struct in_addr) * nsrc;
-				if (nsrc * sizeof(in_addr_t) > srclen) {
+				if (nsrc * sizeof(in_addr_t) >
+				    UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) {
 					IGMPSTAT_INC(igps_rcv_tooshort);
 					return (IPPROTO_DONE);
 				}
@ -1558,7 +1557,7 @@ igmp_input(struct mbuf **mp, int *offp, int proto)
 				 * this scope.
 				 */
 				igmpv3len = iphlen + IGMP_V3_QUERY_MINLEN +
-				    srclen;
+				   sizeof(struct in_addr) * nsrc;
 				if ((!M_WRITABLE(m) ||
 				     m->m_len < igmpv3len) &&
 				    (m = m_pullup(m, igmpv3len)) == NULL) {