2 files changed, 11 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index 259c604274..138f1e0fe1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Sun Feb 22 02:03:46 2009  Tanaka Akira  <akr@fsij.org>
+
+	* ext/socket/ancdata.c (bsock_recvmsg_internal): check max length
+	  overflow.
+
 Sun Feb 22 01:52:30 2009  Tanaka Akira  <akr@fsij.org>
 
 	* ext/socket/ancdata.c (bsock_recvmsg_internal): don't call
diff --git a/ext/socket/ancdata.c b/ext/socket/ancdata.c
index 28f00649d7..e3f56fe50f 100644
--- a/ext/socket/ancdata.c
+++ b/ext/socket/ancdata.c
@@ -1313,6 +1313,8 @@ bsock_recvmsg_internal(int argc, VALUE *argv, VALUE sock, int nonblock)
 	int grown = 0;
 #if defined(HAVE_ST_MSG_CONTROL)
         if (NIL_P(vmaxdatlen) && (mh.msg_flags & MSG_TRUNC)) {
+            if (SIZE_MAX/2 < maxdatlen)
+                rb_raise(rb_eArgError, "max data length too big");
 	    maxdatlen *= 2;
 	    grown = 1;
 	}
@@ -1328,6 +1330,8 @@ bsock_recvmsg_internal(int argc, VALUE *argv, VALUE sock, int nonblock)
 		}
             }
             else {
+                if (SIZE_MAX/2 < maxctllen)
+                    rb_raise(rb_eArgError, "max control message length too big");
                 maxctllen *= 2;
                 grown = 1;
             }
@@ -1335,6 +1339,8 @@ bsock_recvmsg_internal(int argc, VALUE *argv, VALUE sock, int nonblock)
 	}
 #else
 	if (NIL_P(vmaxdatlen) && ss != -1 && ss == iov.iov_len) {
+            if (SIZE_MAX/2 < maxdatlen)
+                rb_raise(rb_eArgError, "max data length too big");
 	    maxdatlen *= 2;
 	    grown = 1;
 	}