From 7f66a4077be71b605204accda37ba68b91754fdd Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Thu, 27 Apr 2017 21:39:27 +0000
Subject: [PATCH] Enforce that sysctl kern.somaxconn and sominconn can only be
 set to valid values.  The so_qlimit is type short. report Dillon Jay Pena; OK
 deraadt@

---
 sys/kern/kern_sysctl.c | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c
index d08767d14bc..807a35fe75c 100644
--- a/sys/kern/kern_sysctl.c
+++ b/sys/kern/kern_sysctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_sysctl.c,v 1.324 2017/04/05 04:15:44 guenther Exp $	*/
+/*	$OpenBSD: kern_sysctl.c,v 1.325 2017/04/27 21:39:27 bluhm Exp $	*/
 /*	$NetBSD: kern_sysctl.c,v 1.17 1996/05/20 17:49:05 mrg Exp $	*/
 
 /*-
@@ -431,10 +431,26 @@ kern_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
 		return (sysctl_int(oldp, oldlenp, newp, newlen, &maxthread));
 	case KERN_NTHREADS:
 		return (sysctl_rdint(oldp, oldlenp, newp, nthreads));
-	case KERN_SOMAXCONN:
-		return (sysctl_int(oldp, oldlenp, newp, newlen, &somaxconn));
-	case KERN_SOMINCONN:
-		return (sysctl_int(oldp, oldlenp, newp, newlen, &sominconn));
+	case KERN_SOMAXCONN: {
+		int val = somaxconn;
+		error = sysctl_int(oldp, oldlenp, newp, newlen, &val);
+		if (error)
+			return error;
+		if (val < 0 || val > SHRT_MAX)
+			return EINVAL;
+		somaxconn = val;
+		return 0;
+	}
+	case KERN_SOMINCONN: {
+		int val = sominconn;
+		error = sysctl_int(oldp, oldlenp, newp, newlen, &val);
+		if (error)
+			return error;
+		if (val < 0 || val > SHRT_MAX)
+			return EINVAL;
+		sominconn = val;
+		return 0;
+	}
 	case KERN_NOSUIDCOREDUMP:
 		return (sysctl_int(oldp, oldlenp, newp, newlen, &nosuidcoredump));
 	case KERN_FSYNC:
-- 
2.20.1