summaryrefslogtreecommitdiff
path: root/usr/src/lib/libsmbfs/smb/mbuf.c
diff options
context:
space:
mode:
Diffstat (limited to 'usr/src/lib/libsmbfs/smb/mbuf.c')
-rw-r--r--usr/src/lib/libsmbfs/smb/mbuf.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/usr/src/lib/libsmbfs/smb/mbuf.c b/usr/src/lib/libsmbfs/smb/mbuf.c
index f03c4fedc3..6f08ce1def 100644
--- a/usr/src/lib/libsmbfs/smb/mbuf.c
+++ b/usr/src/lib/libsmbfs/smb/mbuf.c
@@ -42,6 +42,7 @@
#include <string.h>
#include <strings.h>
#include <libintl.h>
+#include <assert.h>
#include <netsmb/smb.h>
#include <netsmb/smb_lib.h>
@@ -58,6 +59,8 @@ m_get(size_t len, struct mbuf **mpp)
{
struct mbuf *m;
+ assert(len < 0x100000); /* sanity */
+
len = M_ALIGN(len);
if (len < M_MINSIZE)
len = M_MINSIZE;
@@ -163,10 +166,13 @@ int
m_getm(struct mbuf *top, size_t len, struct mbuf **mpp)
{
struct mbuf *m, *mp;
- int error;
+ int error, ts;
for (mp = top; ; mp = mp->m_next) {
- len -= M_TRAILINGSPACE(mp);
+ ts = M_TRAILINGSPACE(mp);
+ if (len <= ts)
+ goto out;
+ len -= ts;
if (mp->m_next == NULL)
break;
@@ -176,6 +182,7 @@ m_getm(struct mbuf *top, size_t len, struct mbuf **mpp)
return (error);
mp->m_next = m;
}
+out:
*mpp = top;
return (0);
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-26 00:19:10 +0000