[IGMP/MLD]: Check for numsrc overflow, plus temp buffer tweaks.

net/ipv4/ip_sockglue.c

@@ -617,10 +617,15 @@ int ip_setsockopt(struct sock *sk, int level, int optname, char *optval, int opt
 		}
 		case IP_MSFILTER:
 		{
+			extern int sysctl_optmem_max;
 			struct ip_msfilter *msf;
 
 			if (optlen < IP_MSFILTER_SIZE(0))
 				goto e_inval;
+			if (optlen > sysctl_optmem_max) {
+				err = -ENOBUFS;
+				break;
+			}
 			msf = (struct ip_msfilter *)kmalloc(optlen, GFP_KERNEL);
 			if (msf == 0) {
 				err = -ENOBUFS;
@@ -631,7 +636,9 @@ int ip_setsockopt(struct sock *sk, int level, int optname, char *optval, int opt
 				kfree(msf);
 				break;
 			}
-			if (IP_MSFILTER_SIZE(msf->imsf_numsrc) > optlen) {
+			if (IP_MSFILTER_SIZE(msf->imsf_numsrc) < 
+			    IP_MSFILTER_SIZE(0) ||
+			    IP_MSFILTER_SIZE(msf->imsf_numsrc) > optlen) {
 				kfree(msf);
 				err = -EINVAL;
 				break;

net/ipv6/ipv6_sockglue.c

@@ -436,10 +436,15 @@ int ipv6_setsockopt(struct sock *sk, int level, int optname, char *optval,
 	}
 	case MCAST_MSFILTER:
 	{
+		extern int sysctl_optmem_max;
 		struct group_filter *gsf;
 
 		if (optlen < GROUP_FILTER_SIZE(0))
 			goto e_inval;
+		if (optlen > sysctl_optmem_max) {
+			retv = -ENOBUFS;
+			break;
+		}
 		gsf = (struct group_filter *)kmalloc(optlen,GFP_KERNEL);
 		if (gsf == 0) {
 			retv = -ENOBUFS;
@@ -450,7 +455,8 @@ int ipv6_setsockopt(struct sock *sk, int level, int optname, char *optval,
 			kfree(gsf);
 			break;
 		}
-		if (GROUP_FILTER_SIZE(gsf->gf_numsrc) > optlen) {
+		if (GROUP_FILTER_SIZE(gsf->gf_numsrc) < GROUP_FILTER_SIZE(0) ||
+		    GROUP_FILTER_SIZE(gsf->gf_numsrc) > optlen) {
 			kfree(gsf);
 			retv = -EINVAL;
 			break;