- Use unsigned version of min() when handling arguments of SETFKEY ioctl.

- Validate that user supplied control message length in sendmsg(2) is not negative. Security: SA-16:18 Security: CVE-2016-1886 Security: SA-16:19 Security: CVE-2016-1887 Submitted by: C Turt <cturt hardenedbsd.org> Approved by: so
2026-06-09 08:43:19 -04:00 · 2016-05-17 22:28:20 +00:00 · 2016-05-17 22:28:20 +00:00 · e0977fd0da
commit e0977fd0da
parent 31926631c1
4 changed files with 12 additions and 2 deletions
--- a/7
+++ b/7
@ -16,6 +16,13 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.

+20160517	p17	FreeBSD-SA-16:18.atkbd
+			FreeBSD-SA-16:19.sendmsg
+
+	Fix buffer overflow in keyboard driver. [SA-16:18]
+
+	Fix incorrect argument handling in sendmsg(2). [SA-16:19]
+
 20160504	p16	FreeBSD-SA-16:17.openssl
 			FreeBSD-EN-16:07.ipi
 			FreeBSD-EN-16:08.zfs
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@ -32,7 +32,7 @@

 TYPE="FreeBSD"
 REVISION="10.2"
-BRANCH="RELEASE-p16"
+BRANCH="RELEASE-p17"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
--- a/sys/dev/kbd/kbd.c
+++ b/sys/dev/kbd/kbd.c
@ -996,7 +996,7 @@ genkbd_commonioctl(keyboard_t *kbd, u_long cmd, caddr_t arg)
 			splx(s);
 			return (error);
 		}
-		kbd->kb_fkeytab[fkeyp->keynum].len = imin(fkeyp->flen, MAXFK);
+		kbd->kb_fkeytab[fkeyp->keynum].len = min(fkeyp->flen, MAXFK);
 		bcopy(fkeyp->keydef, kbd->kb_fkeytab[fkeyp->keynum].str,
 		    kbd->kb_fkeytab[fkeyp->keynum].len);
 		break;
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@ -1787,6 +1787,9 @@ sockargs(mp, buf, buflen, type)
 	struct mbuf *m;
 	int error;

+	if (buflen < 0)
+		return (EINVAL);
+
 	if (buflen > MLEN) {
 #ifdef COMPAT_OLDSOCK
 		if (type == MT_SONAME && buflen <= 112)