Module Name: src
Committed By: riastradh
Date: Sat Sep 3 10:03:20 UTC 2022
Modified Files:
src/sys/net: bpf.c
Log Message:
bpf(4): Reject bogus timeout values before arithmetic overflows.
Reported-by: syzbot+fbd86bdf579944b64...@syzkaller.appspotmail.com
https://syzkaller.appspot.com/bug?id=60d46fd4863952897cbf67c6b1bcc8b20ec7bde6
XXX pullup-8
XXX pullup-9
To generate a diff of this commit:
cvs rdiff -u -r1.246 -r1.247 src/sys/net/bpf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/bpf.c
diff -u src/sys/net/bpf.c:1.246 src/sys/net/bpf.c:1.247
--- src/sys/net/bpf.c:1.246 Tue Mar 15 13:00:44 2022
+++ src/sys/net/bpf.c Sat Sep 3 10:03:20 2022
@@ -1,4 +1,4 @@
-/* $NetBSD: bpf.c,v 1.246 2022/03/15 13:00:44 riastradh Exp $ */
+/* $NetBSD: bpf.c,v 1.247 2022/09/03 10:03:20 riastradh Exp $ */
/*
* Copyright (c) 1990, 1991, 1993
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.246 2022/03/15 13:00:44 riastradh Exp $");
+__KERNEL_RCSID(0, "$NetBSD: bpf.c,v 1.247 2022/09/03 10:03:20 riastradh Exp $");
#if defined(_KERNEL_OPT)
#include "opt_bpf.h"
@@ -1152,7 +1152,11 @@ bpf_ioctl(struct file *fp, u_long cmd, v
struct timeval *tv = addr;
/* Compute number of ticks. */
- if (tv->tv_sec > INT_MAX/hz - 1) {
+ if (tv->tv_sec < 0 ||
+ tv->tv_usec < 0 || tv->tv_usec >= 1000000) {
+ error = EINVAL;
+ break;
+ } else if (tv->tv_sec > INT_MAX/hz - 1) {
d->bd_rtout = INT_MAX;
} else {
d->bd_rtout = tv->tv_sec * hz
@@ -1186,7 +1190,11 @@ bpf_ioctl(struct file *fp, u_long cmd, v
struct timeval50 *tv = addr;
/* Compute number of ticks. */
- if (tv->tv_sec > INT_MAX/hz - 1) {
+ if (tv->tv_sec < 0 ||
+ tv->tv_usec < 0 || tv->tv_usec >= 1000000) {
+ error = EINVAL;
+ break;
+ } else if (tv->tv_sec > INT_MAX/hz - 1) {
d->bd_rtout = INT_MAX;
} else {
d->bd_rtout = tv->tv_sec * hz
