summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2022-02-13 23:11:11 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2022-02-13 23:11:11 +0000
commit87de0daa971d1e149fa18688b4d4d3a82b506252 (patch)
tree6885809cb8c11fbcf619383cf23082e586184271
parent3ff6b8cd53f6ad28574ece1c20aeda7671ec0541 (diff)
The length value in bpf_movein() is casted to from size_t to u_int
and then rounded before checking. Put the same check before the calculations to avoid overflow. Reported-by: syzbot+6f29d23eca959c5a9705@syzkaller.appspotmail.com OK claudio@
-rw-r--r--sys/net/bpf.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/net/bpf.c b/sys/net/bpf.c
index 2d0d069d27c..369ed377f87 100644
--- a/sys/net/bpf.c
+++ b/sys/net/bpf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bpf.c,v 1.213 2022/02/13 12:58:46 visa Exp $ */
+/* $OpenBSD: bpf.c,v 1.214 2022/02/13 23:11:10 bluhm Exp $ */
/* $NetBSD: bpf.c,v 1.33 1997/02/21 23:59:35 thorpej Exp $ */
/*
@@ -198,6 +198,8 @@ bpf_movein(struct uio *uio, struct bpf_d *d, struct mbuf **mp,
return (EIO);
}
+ if (uio->uio_resid > MAXMCLBYTES)
+ return (EMSGSIZE);
len = uio->uio_resid;
if (len < hlen)
return (EINVAL);
@@ -211,7 +213,6 @@ bpf_movein(struct uio *uio, struct bpf_d *d, struct mbuf **mp,
* Allocate enough space for headers and the aligned payload.
*/
mlen = max(max_linkhdr, hlen) + roundup(alen, sizeof(long));
-
if (mlen > MAXMCLBYTES)
return (EMSGSIZE);