diff options
author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2022-02-13 23:11:11 +0000 |
---|---|---|
committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2022-02-13 23:11:11 +0000 |
commit | 87de0daa971d1e149fa18688b4d4d3a82b506252 (patch) | |
tree | 6885809cb8c11fbcf619383cf23082e586184271 | |
parent | 3ff6b8cd53f6ad28574ece1c20aeda7671ec0541 (diff) |
The length value in bpf_movein() is casted to from size_t to u_int
and then rounded before checking. Put the same check before the
calculations to avoid overflow.
Reported-by: syzbot+6f29d23eca959c5a9705@syzkaller.appspotmail.com
OK claudio@
-rw-r--r-- | sys/net/bpf.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/net/bpf.c b/sys/net/bpf.c index 2d0d069d27c..369ed377f87 100644 --- a/sys/net/bpf.c +++ b/sys/net/bpf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bpf.c,v 1.213 2022/02/13 12:58:46 visa Exp $ */ +/* $OpenBSD: bpf.c,v 1.214 2022/02/13 23:11:10 bluhm Exp $ */ /* $NetBSD: bpf.c,v 1.33 1997/02/21 23:59:35 thorpej Exp $ */ /* @@ -198,6 +198,8 @@ bpf_movein(struct uio *uio, struct bpf_d *d, struct mbuf **mp, return (EIO); } + if (uio->uio_resid > MAXMCLBYTES) + return (EMSGSIZE); len = uio->uio_resid; if (len < hlen) return (EINVAL); @@ -211,7 +213,6 @@ bpf_movein(struct uio *uio, struct bpf_d *d, struct mbuf **mp, * Allocate enough space for headers and the aligned payload. */ mlen = max(max_linkhdr, hlen) + roundup(alen, sizeof(long)); - if (mlen > MAXMCLBYTES) return (EMSGSIZE); |