X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/3903760236c30e3b5ace7a4eefac3a269d68957c..a39ff7e25e19b3a8c3020042a3872ca9ec9659f1:/bsd/netinet/igmp.c

diff --git a/bsd/netinet/igmp.c b/bsd/netinet/igmp.c
index da146da81..b96b869fa 100644
--- a/bsd/netinet/igmp.c
+++ b/bsd/netinet/igmp.c
@@ -190,9 +190,9 @@ static int current_state_timers_running;	/* IGMPv1/v2 host
 #define	IGMP_LOCK()			\
 	lck_mtx_lock(&igmp_mtx)
 #define	IGMP_LOCK_ASSERT_HELD()		\
-	lck_mtx_assert(&igmp_mtx, LCK_MTX_ASSERT_OWNED)
+	LCK_MTX_ASSERT(&igmp_mtx, LCK_MTX_ASSERT_OWNED)
 #define	IGMP_LOCK_ASSERT_NOTHELD()	\
-	lck_mtx_assert(&igmp_mtx, LCK_MTX_ASSERT_NOTOWNED)
+	LCK_MTX_ASSERT(&igmp_mtx, LCK_MTX_ASSERT_NOTOWNED)
 #define	IGMP_UNLOCK()			\
 	lck_mtx_unlock(&igmp_mtx)
 
@@ -555,7 +555,7 @@ igmp_ra_alloc(void)
 	MGET(m, M_WAITOK, MT_DATA);
 	p = mtod(m, struct ipoption *);
 	p->ipopt_dst.s_addr = INADDR_ANY;
-	p->ipopt_list[0] = IPOPT_RA;	/* Router Alert Option */
+	p->ipopt_list[0] = (char)IPOPT_RA;	/* Router Alert Option */
 	p->ipopt_list[1] = 0x04;	/* 4 bytes long */
 	p->ipopt_list[2] = IPOPT_EOL;	/* End of IP option list */
 	p->ipopt_list[3] = 0x00;	/* pad byte */
@@ -1737,6 +1737,17 @@ igmp_input(struct mbuf *m, int off)
 				 * Validate length based on source count.
 				 */
 				nsrc = ntohs(igmpv3->igmp_numsrc);
+				/*
+				 * The max vaue of nsrc is limited by the
+				 * MTU of the network on which the datagram
+				 * is received
+				 */
+				if (nsrc < 0 || nsrc > IGMP_V3_QUERY_MAX_SRCS) {
+					IGMPSTAT_INC(igps_rcv_tooshort);
+					OIGMPSTAT_INC(igps_rcv_tooshort);
+					m_freem(m);
+					return;
+				}
 				srclen = sizeof(struct in_addr) * nsrc;
 				if (igmplen < (IGMP_V3_QUERY_MINLEN + srclen)) {
 					IGMPSTAT_INC(igps_rcv_tooshort);