uipc_socket.c int to short conversion

Dillon Jay Pena Wed, 26 Apr 2017 22:17:13 -0700

In solisten, if somaxconn and backlog (both ints) are greater than
SHRT_MAX, then there is overflow when setting so->so_qlimit = backlog


It seems to me there are two ways to fix the problem. the first is to
check for the overflow, the other is to make so_qlimit (of struct
sockaddr) an int instead of a short in src/sys/sys/socketvar.h

I don't know that the first way is the better way to do it, but that's
what this diff is for.

Index: src/sys/kern/uipc_socket.c
===================================================================
RCS file: /cvs/src/sys/kern/uipc_socket.c,v
retrieving revision 1.182
diff -u -p -r1.182 uipc_socket.c
--- src/sys/kern/uipc_socket.c  2 Apr 2017 23:40:08 -0000       1.182
+++ src/sys/kern/uipc_socket.c  27 Apr 2017 04:55:21 -0000
@@ -49,6 +49,7 @@
 #include <sys/signalvar.h>
 #include <net/if.h>
 #include <sys/pool.h>
+#include <limits.h>

 #ifdef DDB
 #include <machine/db_machdep.h>
@@ -182,6 +183,8 @@ solisten(struct socket *so, int backlog)
                so->so_options |= SO_ACCEPTCONN;
        if (backlog < 0 || backlog > somaxconn)
                backlog = somaxconn;
+       if (backlog > SHRT_MAX)
+               backlog = SHRT_MAX;
        if (backlog < sominconn)
                backlog = sominconn;
        so->so_qlimit = backlog;
$


- Dillon

uipc_socket.c int to short conversion

Reply via email to