From 7349ea785c916bbd7516077f293ae93bbb54dbbf Mon Sep 17 00:00:00 2001
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Tue, 17 May 2016 22:28:53 +0000
Subject: [PATCH] Validate that user supplied control message length is not
 negative.

Submitted by:	C Turt <cturt hardenedbsd.org>
Security:	SA-16:19
Security:	CVE-2016-1887
---
 sys/kern/uipc_syscalls.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 05703ef65c15..7184e47ba62a 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -1699,6 +1699,9 @@ sockargs(mp, buf, buflen, type)
 	struct mbuf *m;
 	int error;
 
+	if (buflen < 0)
+		return (EINVAL);
+
 	if (buflen > MLEN) {
 #ifdef COMPAT_OLDSOCK
 		if (type == MT_SONAME && buflen <= 112)