From c2b0a86c6a2797cd2f460e463b0a5c88aa751981 Mon Sep 17 00:00:00 2001
From: Matthew Dillon <dillon@apollo.backplane.com>
Date: Tue, 16 Dec 2008 09:49:35 -0800
Subject: [PATCH] Add missing range checks to sopt_valsize for the linux
 emulated setsockopt().

---
 sys/emulation/linux/linux_socket.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sys/emulation/linux/linux_socket.c b/sys/emulation/linux/linux_socket.c
index 00941c65ff..d7749eb632 100644
--- a/sys/emulation/linux/linux_socket.c
+++ b/sys/emulation/linux/linux_socket.c
@@ -1089,6 +1089,9 @@ linux_setsockopt(struct linux_setsockopt_args *args, int *res)
 	sopt.sopt_valsize = linux_args.optlen;
 	sopt.sopt_td = td;
 
+	if (sopt.sopt_valsize < 0 || sopt.sopt_valsize > SOMAXOPT_SIZE)
+		return (EINVAL);
+
 	if (linux_args.optval) {
 		sopt.sopt_val = kmalloc(sopt.sopt_valsize, M_TEMP, M_WAITOK);
 		error = copyin(linux_args.optval, sopt.sopt_val, sopt.sopt_valsize);
@@ -1133,7 +1136,7 @@ linux_getsockopt(struct linux_getsockopt_args *args, int *res)
 		error = copyin(linux_args.optlen, &valsize, sizeof(valsize));
 		if (error)
 			return (error);
-		if (valsize < 0)
+		if (valsize < 0 || valsize > SOMAXOPT_SIZE)
 			return (EINVAL);
 	} else {
 		valsize = 0;
-- 
2.11.4.GIT