From 4be097b868689c243276460b35b2ea492e330608 Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Sun, 13 Feb 2022 23:11:10 +0000
Subject: [PATCH] The length value in bpf_movein() is casted to from size_t to
 u_int and then rounded before checking.  Put the same check before the
 calculations to avoid overflow. Reported-by:
 syzbot+6f29d23eca959c5a9705@syzkaller.appspotmail.com OK claudio@

---
 sys/net/bpf.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sys/net/bpf.c b/sys/net/bpf.c
index 2d0d069d27c..369ed377f87 100644
--- a/sys/net/bpf.c
+++ b/sys/net/bpf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: bpf.c,v 1.213 2022/02/13 12:58:46 visa Exp $	*/
+/*	$OpenBSD: bpf.c,v 1.214 2022/02/13 23:11:10 bluhm Exp $	*/
 /*	$NetBSD: bpf.c,v 1.33 1997/02/21 23:59:35 thorpej Exp $	*/
 
 /*
@@ -198,6 +198,8 @@ bpf_movein(struct uio *uio, struct bpf_d *d, struct mbuf **mp,
 		return (EIO);
 	}
 
+	if (uio->uio_resid > MAXMCLBYTES)
+		return (EMSGSIZE);
 	len = uio->uio_resid;
 	if (len < hlen)
 		return (EINVAL);
@@ -211,7 +213,6 @@ bpf_movein(struct uio *uio, struct bpf_d *d, struct mbuf **mp,
 	 * Allocate enough space for headers and the aligned payload.
 	 */
 	mlen = max(max_linkhdr, hlen) + roundup(alen, sizeof(long));
-
 	if (mlen > MAXMCLBYTES)
 		return (EMSGSIZE);
 
-- 
2.20.1