1c732c8591
The socket option handler tries to ensure that the option length is no larger than some reasonable maximum, and no smaller than sizeof(struct dn_id). But the loaded option length is stored in an int, which is converted to an unsigned integer for the comparison with a size_t, so negative values are not caught and instead get passed to malloc(). Change the code to use a size_t for the buffer size. Reviewed by: kp MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D33133 |
||
---|---|---|
.. | ||
nat64 | ||
nptv6 | ||
pmod | ||
test | ||
dn_aqm_codel.c | ||
dn_aqm_codel.h | ||
dn_aqm_pie.c | ||
dn_aqm_pie.h | ||
dn_aqm.h | ||
dn_heap.c | ||
dn_heap.h | ||
dn_sched_fifo.c | ||
dn_sched_fq_codel_helper.h | ||
dn_sched_fq_codel.c | ||
dn_sched_fq_codel.h | ||
dn_sched_fq_pie.c | ||
dn_sched_prio.c | ||
dn_sched_qfq.c | ||
dn_sched_rr.c | ||
dn_sched_wf2q.c | ||
dn_sched.h | ||
dummynet.txt | ||
ip_dn_glue.c | ||
ip_dn_io.c | ||
ip_dn_private.h | ||
ip_dummynet.c | ||
ip_fw2.c | ||
ip_fw_bpf.c | ||
ip_fw_dynamic.c | ||
ip_fw_eaction.c | ||
ip_fw_iface.c | ||
ip_fw_log.c | ||
ip_fw_nat.c | ||
ip_fw_pfil.c | ||
ip_fw_private.h | ||
ip_fw_sockopt.c | ||
ip_fw_table_algo.c | ||
ip_fw_table_value.c | ||
ip_fw_table.c | ||
ip_fw_table.h |