Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 7 Apr 2015 20:20:04 +0000 (UTC)
From:      Xin LI <delphij@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r281228 - head/sys/netinet
Message-ID:  <201504072020.t37KK4ca028953@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: delphij
Date: Tue Apr  7 20:20:03 2015
New Revision: 281228
URL: https://svnweb.freebsd.org/changeset/base/281228

Log:
  Improve patch for SA-15:04.igmp to solve a potential buffer overflow.
  
  Reported by:	bde
  Submitted by:	oshogbo

Modified:
  head/sys/netinet/igmp.c

Modified: head/sys/netinet/igmp.c
==============================================================================
--- head/sys/netinet/igmp.c	Tue Apr  7 19:46:18 2015	(r281227)
+++ head/sys/netinet/igmp.c	Tue Apr  7 20:20:03 2015	(r281228)
@@ -1540,7 +1540,6 @@ igmp_input(struct mbuf **mp, int *offp, 
 				struct igmpv3 *igmpv3;
 				uint16_t igmpv3len;
 				uint16_t nsrc;
-				int srclen;
 
 				IGMPSTAT_INC(igps_rcv_v3_queries);
 				igmpv3 = (struct igmpv3 *)igmp;
@@ -1548,8 +1547,8 @@ igmp_input(struct mbuf **mp, int *offp, 
 				 * Validate length based on source count.
 				 */
 				nsrc = ntohs(igmpv3->igmp_numsrc);
-				srclen = sizeof(struct in_addr) * nsrc;
-				if (nsrc * sizeof(in_addr_t) > srclen) {
+				if (nsrc * sizeof(in_addr_t) >
+				    UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) {
 					IGMPSTAT_INC(igps_rcv_tooshort);
 					return (IPPROTO_DONE);
 				}
@@ -1558,7 +1557,7 @@ igmp_input(struct mbuf **mp, int *offp, 
 				 * this scope.
 				 */
 				igmpv3len = iphlen + IGMP_V3_QUERY_MINLEN +
-				    srclen;
+				   sizeof(struct in_addr) * nsrc;
 				if ((!M_WRITABLE(m) ||
 				     m->m_len < igmpv3len) &&
 				    (m = m_pullup(m, igmpv3len)) == NULL) {



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201504072020.t37KK4ca028953>