b735a9d213
Fix an integer overflow in computing the size of a temporary buffer can result in a buffer which is too small for the requested operation. [13:09] Fix a bug that could lead to kernel memory disclosure with SCTP state cookie. [13:10] Add latest errata notices: Fix a data corruption problem with mfi(4) operating on > 2TB disks in a JBOD. [EN-13:03]
26 lines
1 KiB
Diff
26 lines
1 KiB
Diff
Index: sys/netinet/in_mcast.c
|
|
===================================================================
|
|
--- sys/netinet/in_mcast.c (revision 254252)
|
|
+++ sys/netinet/in_mcast.c (working copy)
|
|
@@ -1648,6 +1648,8 @@
|
|
* has asked for, but we always tell userland how big the
|
|
* buffer really needs to be.
|
|
*/
|
|
+ if (msfr.msfr_nsrcs > in_mcast_maxsocksrc)
|
|
+ msfr.msfr_nsrcs = in_mcast_maxsocksrc;
|
|
tss = NULL;
|
|
if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
|
|
tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
|
|
Index: sys/netinet6/in6_mcast.c
|
|
===================================================================
|
|
--- sys/netinet6/in6_mcast.c (revision 254252)
|
|
+++ sys/netinet6/in6_mcast.c (working copy)
|
|
@@ -1625,6 +1625,8 @@
|
|
* has asked for, but we always tell userland how big the
|
|
* buffer really needs to be.
|
|
*/
|
|
+ if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc)
|
|
+ msfr.msfr_nsrcs = in6_mcast_maxsocksrc;
|
|
tss = NULL;
|
|
if (msfr.msfr_srcs != NULL && msfr.msfr_nsrcs > 0) {
|
|
tss = malloc(sizeof(struct sockaddr_storage) * msfr.msfr_nsrcs,
|