2 files changed, 11 insertions, 1 deletions

diff --git a/usr/src/cmd/cmd-inet/lib/ipmgmtd/ipmgmt_door.c b/usr/src/cmd/cmd-inet/lib/ipmgmtd/ipmgmt_door.c
index 375f7f3add..c851b38baf 100644
--- a/usr/src/cmd/cmd-inet/lib/ipmgmtd/ipmgmt_door.c
+++ b/usr/src/cmd/cmd-inet/lib/ipmgmtd/ipmgmt_door.c
@@ -22,6 +22,7 @@
 /*
  * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright (c) 2016-2017, Chris Fraire <cfraire@me.com>.
+ * Copyright 2021, Tintri by DDN. All rights reserved.
  */
 
 /*
@@ -680,6 +681,10 @@ ipmgmt_getaddr_handler(void *argp)
 	    NV_ENCODE_NATIVE)) != 0) {
 		goto fail;
 	}
+
+	if (onvlsize > (UINT32_MAX - sizeof (ipmgmt_get_rval_t)))
+		goto fail;
+
 	buflen = onvlsize + sizeof (ipmgmt_get_rval_t);
 	/*
 	 * We cannot use malloc() here because door_return never returns, and
@@ -823,6 +828,10 @@ ipmgmt_initif_handler(void *argp)
 
 	if ((err = nvlist_size(cbarg.cb_onvl, &nvlsize, NV_ENCODE_NATIVE)) != 0)
 		goto fail;
+
+	if (nvlsize > (UINT32_MAX - sizeof (ipmgmt_get_rval_t)))
+		goto fail;
+
 	buflen = nvlsize + sizeof (ipmgmt_get_rval_t);
 	/*
 	 * We cannot use malloc() here because door_return never returns, and
diff --git a/usr/src/lib/libipadm/common/ipadm_ipmgmt.h b/usr/src/lib/libipadm/common/ipadm_ipmgmt.h
index 06e870f30b..4c6c66de96 100644
--- a/usr/src/lib/libipadm/common/ipadm_ipmgmt.h
+++ b/usr/src/lib/libipadm/common/ipadm_ipmgmt.h
@@ -21,6 +21,7 @@
 /*
  * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright (c) 2016, Chris Fraire <cfraire@me.com>.
+ * Copyright 2021, Tintri by DDN. All rights reserved.
  */
 
 #ifndef _IPADM_IPMGMT_H
@@ -255,7 +256,7 @@ typedef struct ipmgmt_retval_s {
 /* IPMGMT_CMD_GETADDR door_return value */
 typedef struct ipmgmt_get_rval_s {
 	int32_t		ir_err;
-	size_t		ir_nvlsize;
+	uint32_t	ir_nvlsize;
 	/* packed nvl follows */
 } ipmgmt_get_rval_t;