summaryrefslogtreecommitdiffstats
path: root/freebsd/sys/netinet/igmp.c
diff options
context:
space:
mode:
Diffstat (limited to 'freebsd/sys/netinet/igmp.c')
-rw-r--r--freebsd/sys/netinet/igmp.c9
1 files changed, 4 insertions, 5 deletions
diff --git a/freebsd/sys/netinet/igmp.c b/freebsd/sys/netinet/igmp.c
index 3056fa3a..78d9685b 100644
--- a/freebsd/sys/netinet/igmp.c
+++ b/freebsd/sys/netinet/igmp.c
@@ -1535,8 +1535,7 @@ igmp_input(struct mbuf *m, int off)
case IGMP_VERSION_3: {
struct igmpv3 *igmpv3;
uint16_t igmpv3len;
- uint16_t srclen;
- int nsrc;
+ uint16_t nsrc;
IGMPSTAT_INC(igps_rcv_v3_queries);
igmpv3 = (struct igmpv3 *)igmp;
@@ -1544,8 +1543,8 @@ igmp_input(struct mbuf *m, int off)
* Validate length based on source count.
*/
nsrc = ntohs(igmpv3->igmp_numsrc);
- srclen = sizeof(struct in_addr) * nsrc;
- if (nsrc * sizeof(in_addr_t) > srclen) {
+ if (nsrc * sizeof(in_addr_t) >
+ UINT16_MAX - iphlen - IGMP_V3_QUERY_MINLEN) {
IGMPSTAT_INC(igps_rcv_tooshort);
return;
}
@@ -1554,7 +1553,7 @@ igmp_input(struct mbuf *m, int off)
* this scope.
*/
igmpv3len = iphlen + IGMP_V3_QUERY_MINLEN +
- srclen;
+ sizeof(struct in_addr) * nsrc;
if ((m->m_flags & M_EXT ||
m->m_len < igmpv3len) &&
(m = m_pullup(m, igmpv3len)) == NULL) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-03 20:17:55 +0000