Fix an overflow in getsockopt(). optval isn't big enough to hold

sbintime_t. Re-introduce r255030 behaviour capping socket timeouts to INT_32 if they're too large. CR: https://phabric.freebsd.org/D433 Reported by: demon Reviewed by: bde [1], jhb [2] MFC after: 2 weeks
2014-08-04 05:40:51 +00:00 · 2014-08-04 05:40:51 +00:00 · 4295aa9240
commit 4295aa9240
parent a30281322a
1 changed files with 6 additions and 6 deletions
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@ -2544,8 +2544,10 @@ sosetopt(struct socket *so, struct sockopt *sopt)
 				error = EDOM;
 				goto bad;
 			}
-			val = tvtosbt(tv);
-
+			if (tv.tv_sec > INT32_MAX)
+				val = SBT_MAX;
+			else
+				val = tvtosbt(tv);
 			switch (sopt->sopt_name) {
 			case SO_SNDTIMEO:
 				so->so_snd.sb_timeo = val;
@ -2694,10 +2696,8 @@ sogetopt(struct socket *so, struct sockopt *sopt)

 		case SO_SNDTIMEO:
 		case SO_RCVTIMEO:
-			optval = (sopt->sopt_name == SO_SNDTIMEO ?
-				  so->so_snd.sb_timeo : so->so_rcv.sb_timeo);
-
-			tv = sbttotv(optval);
+			tv = sbttotv(sopt->sopt_name == SO_SNDTIMEO ?
+			    so->so_snd.sb_timeo : so->so_rcv.sb_timeo);
 #ifdef COMPAT_FREEBSD32
 			if (SV_CURPROC_FLAG(SV_ILP32)) {
 				struct timeval32 tv32;