Searched hist:"1 c732c85911eb9e39071cbdb50dfb1f0d76de40f" (Results 1 – 2 of 2) sorted by relevance
| /freebsd/sys/netpfil/ipfw/ |
| H A D | ip_dn_private.h | diff 1c732c85911eb9e39071cbdb50dfb1f0d76de40f Mon Nov 29 19:50:30 CET 2021 Mark Johnston <markj@FreeBSD.org> dummynet: Fix socket option length validation for IP_DUMMYNET3
The socket option handler tries to ensure that the option length is no
larger than some reasonable maximum, and no smaller than sizeof(struct
dn_id). But the loaded option length is stored in an int, which is
converted to an unsigned integer for the comparison with a size_t, so
negative values are not caught and instead get passed to malloc().
Change the code to use a size_t for the buffer size.
Reviewed by: kp
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D33133
|
| H A D | ip_dummynet.c | diff 1c732c85911eb9e39071cbdb50dfb1f0d76de40f Mon Nov 29 19:50:30 CET 2021 Mark Johnston <markj@FreeBSD.org> dummynet: Fix socket option length validation for IP_DUMMYNET3
The socket option handler tries to ensure that the option length is no
larger than some reasonable maximum, and no smaller than sizeof(struct
dn_id). But the loaded option length is stored in an int, which is
converted to an unsigned integer for the comparison with a size_t, so
negative values are not caught and instead get passed to malloc().
Change the code to use a size_t for the buffer size.
Reviewed by: kp
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D33133
|