Attachment #18473 for bug #54207

View | Details | Raw Unified | Return to bug 54207
Collapse All | Expand All

Lines 760-765 Link Here

(-)linux-2.4.22/net/ipv4/ip_sockglue.c~ (+5 lines)
760	if (copy_from_user(gsf, optval, optlen)) {	760	if (copy_from_user(gsf, optval, optlen)) {
761	goto mc_msf_out;	761	goto mc_msf_out;
762	}	762	}
		763	/* numsrc >= (4G-140)/128 overflow in 32 bits */
		764	if (gsf->gf_numsrc >= 0x1ffffff) {
		765	err = -ENOBUFS;
		766	goto mc_msf_out;
		767	}
763	if (GROUP_FILTER_SIZE(gsf->gf_numsrc) < optlen) {	768	if (GROUP_FILTER_SIZE(gsf->gf_numsrc) < optlen) {
764	err = EINVAL;	769	err = EINVAL;
765	goto mc_msf_out;	770	goto mc_msf_out;




			kfree(gsf);
			break;
		}
		/* numsrc >= (4G-140)/128 overflow in 32 bits */
		if (gsf->gf_numsrc >= 0x1ffffffU) {
			kfree(gsf);
			retv = -ENOBUFS;
			break;
		}
		if (GROUP_FILTER_SIZE(gsf->gf_numsrc) > optlen) {
			kfree(gsf);
			retv = -EINVAL;
			break;
		}
		retv = ip6_mc_msfilter(sk, gsf);
		kfree(gsf);


Return to bug 54207

Lines 466-471 Link Here

(-)linux-2.4.22/net/ipv6/ipv6_sockglue.c~ (+11 lines)
466	kfree(gsf);	466	kfree(gsf);
467	break;	467	break;
468	}	468	}
		469	/* numsrc >= (4G-140)/128 overflow in 32 bits */
		470	if (gsf->gf_numsrc >= 0x1ffffffU) {
		471	kfree(gsf);
		472	retv = -ENOBUFS;
		473	break;
		474	}
		475	if (GROUP_FILTER_SIZE(gsf->gf_numsrc) > optlen) {
		476	kfree(gsf);
		477	retv = -EINVAL;
		478	break;
		479	}
469	retv = ip6_mc_msfilter(sk, gsf);	480	retv = ip6_mc_msfilter(sk, gsf);
470	kfree(gsf);	481	kfree(gsf);
471		482