From owner-svn-src-releng@FreeBSD.ORG Thu Aug 22 00:51:44 2013 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 6403D329; Thu, 22 Aug 2013 00:51:44 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 50DC32A91; Thu, 22 Aug 2013 00:51:44 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r7M0pi3Y012688; Thu, 22 Aug 2013 00:51:44 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r7M0phQ5012686; Thu, 22 Aug 2013 00:51:43 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201308220051.r7M0phQ5012686@svn.freebsd.org> From: Xin LI Date: Thu, 22 Aug 2013 00:51:43 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r254630 - in releng/9.2/sys: netinet netinet6 X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Aug 2013 00:51:44 -0000 Author: delphij Date: Thu Aug 22 00:51:43 2013 New Revision: 254630 URL: http://svnweb.freebsd.org/changeset/base/254630 Log: Fix an integer overflow in computing the size of a temporary buffer can result in a buffer which is too small for the requested operation. Security: CVE-2013-3077 Security: FreeBSD-SA-13:09.ip_multicast Approved by: re (kib) Modified: releng/9.2/sys/netinet/in_mcast.c releng/9.2/sys/netinet6/in6_mcast.c Modified: releng/9.2/sys/netinet/in_mcast.c ============================================================================== --- releng/9.2/sys/netinet/in_mcast.c Thu Aug 22 00:51:37 2013 (r254629) +++ releng/9.2/sys/netinet/in_mcast.c Thu Aug 22 00:51:43 2013 (r254630) @@ -1614,6 +1614,8 @@ inp_get_source_filters(struct inpcb *inp * has asked for, but we always tell userland how big the * buffer really needs to be. */ + if (msfr.msfr_nsrcs > in_mcast_maxsocksrc) + msfr.msfr_nsrcs = in_mcast_maxsocksrc; tss = NULL; if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) { tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs, Modified: releng/9.2/sys/netinet6/in6_mcast.c ============================================================================== --- releng/9.2/sys/netinet6/in6_mcast.c Thu Aug 22 00:51:37 2013 (r254629) +++ releng/9.2/sys/netinet6/in6_mcast.c Thu Aug 22 00:51:43 2013 (r254630) @@ -1625,6 +1625,8 @@ in6p_get_source_filters(struct inpcb *in * has asked for, but we always tell userland how big the * buffer really needs to be. */ + if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) + msfr.msfr_nsrcs = in6_mcast_maxsocksrc; tss = NULL; if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) { tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,