From 3dffae44c0066a6e4aee54e1a346110caf316c12 Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Fri, 30 May 2003 20:08:35 +0000 Subject: o the timeout is int, not u_int32_t o check timeout for negative values and overflow ok tedu@ jason@ --- sys/net/if_bridge.c | 7 ++++++- sys/net/if_bridge.h | 6 +++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c index b6a2aa0382a..b2f6afca087 100644 --- a/sys/net/if_bridge.c +++ b/sys/net/if_bridge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_bridge.c,v 1.115 2003/05/03 21:15:11 deraadt Exp $ */ +/* $OpenBSD: if_bridge.c,v 1.116 2003/05/30 20:08:34 henning Exp $ */ /* * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net) @@ -548,6 +548,11 @@ bridge_ioctl(ifp, cmd, data) case SIOCBRDGSTO: if ((error = suser(prc->p_ucred, &prc->p_acflag)) != 0) break; + if (bparam->ifbrp_ctime < 0 || + bparam->ifbrp_ctime > INT_MAX / hz) { + error = EINVAL; + break; + } sc->sc_brttimeout = bparam->ifbrp_ctime; timeout_del(&sc->sc_brtimeout); if (bparam->ifbrp_ctime != 0) diff --git a/sys/net/if_bridge.h b/sys/net/if_bridge.h index b629cada435..d22814d1798 100644 --- a/sys/net/if_bridge.h +++ b/sys/net/if_bridge.h @@ -1,4 +1,4 @@ -/* $OpenBSD: if_bridge.h,v 1.20 2002/12/09 10:11:52 markus Exp $ */ +/* $OpenBSD: if_bridge.h,v 1.21 2003/05/30 20:08:34 henning Exp $ */ /* * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net) @@ -113,7 +113,7 @@ struct ifbrparam { char ifbrp_name[IFNAMSIZ]; union { u_int32_t ifbrpu_csize; /* cache size */ - u_int32_t ifbrpu_ctime; /* cache time (sec) */ + int ifbrpu_ctime; /* cache time (sec) */ u_int16_t ifbrpu_prio; /* bridge priority */ u_int8_t ifbrpu_hellotime; /* hello time (sec) */ u_int8_t ifbrpu_fwddelay; /* fwd delay (sec) */ @@ -256,7 +256,7 @@ struct bridge_softc { struct bridge_timer sc_tcn_timer; u_int32_t sc_brtmax; /* max # addresses */ u_int32_t sc_brtcnt; /* current # addrs */ - u_int32_t sc_brttimeout; /* timeout ticks */ + int sc_brttimeout; /* timeout ticks */ u_int32_t sc_hashkey; /* hash key */ struct timeout sc_brtimeout; /* timeout state */ struct timeout sc_bstptimeout; /* stp timeout */ -- cgit v1.2.3