o the timeout is int, not u_int32_t

o check timeout for negative values and overflow

ok tedu@ jason@

2 files changed, 9 insertions, 4 deletions

diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index b6a2aa0382a..b2f6afca087 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_bridge.c,v 1.115 2003/05/03 21:15:11 deraadt Exp $	*/
+/*	$OpenBSD: if_bridge.c,v 1.116 2003/05/30 20:08:34 henning Exp $	*/
 
 /*
  * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net)
@@ -548,6 +548,11 @@ bridge_ioctl(ifp, cmd, data)
 	case SIOCBRDGSTO:
 		if ((error = suser(prc->p_ucred, &prc->p_acflag)) != 0)
 			break;
+		if (bparam->ifbrp_ctime < 0 ||
+		    bparam->ifbrp_ctime > INT_MAX / hz) {
+			error = EINVAL;
+			break;
+		}
 		sc->sc_brttimeout = bparam->ifbrp_ctime;
 		timeout_del(&sc->sc_brtimeout);
 		if (bparam->ifbrp_ctime != 0)
diff --git a/sys/net/if_bridge.h b/sys/net/if_bridge.h
index b629cada435..d22814d1798 100644
--- a/sys/net/if_bridge.h
+++ b/sys/net/if_bridge.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_bridge.h,v 1.20 2002/12/09 10:11:52 markus Exp $	*/
+/*	$OpenBSD: if_bridge.h,v 1.21 2003/05/30 20:08:34 henning Exp $	*/
 
 /*
  * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net)
@@ -113,7 +113,7 @@ struct ifbrparam {
 	char			ifbrp_name[IFNAMSIZ];
 	union {
 		u_int32_t	ifbrpu_csize;		/* cache size */
-		u_int32_t	ifbrpu_ctime;		/* cache time (sec) */
+		int		ifbrpu_ctime;		/* cache time (sec) */
 		u_int16_t	ifbrpu_prio;		/* bridge priority */
 		u_int8_t	ifbrpu_hellotime;	/* hello time (sec) */
 		u_int8_t	ifbrpu_fwddelay;	/* fwd delay (sec) */
@@ -256,7 +256,7 @@ struct bridge_softc {
 	struct bridge_timer		sc_tcn_timer;
 	u_int32_t			sc_brtmax;	/* max # addresses */
 	u_int32_t			sc_brtcnt;	/* current # addrs */
-	u_int32_t			sc_brttimeout;	/* timeout ticks */
+	int				sc_brttimeout;	/* timeout ticks */
 	u_int32_t			sc_hashkey;	/* hash key */
 	struct timeout			sc_brtimeout;	/* timeout state */
 	struct timeout			sc_bstptimeout;	/* stp timeout */