From 887aedc64e8cc8fca98d255cd7c4a534e73a70d0 Mon Sep 17 00:00:00 2001
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Mon, 26 May 2008 10:01:13 +0000
Subject: [PATCH] Take into account possible overflow when multiplying. The
 casuality is the malloc call later, panicing kernel due to the oversized
 allocation.

Reported by:	pho
Reviewed by:	jeff
---
 sys/kern/kern_cpuset.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/kern/kern_cpuset.c b/sys/kern/kern_cpuset.c
index 22b66772587..1a2495e4c74 100644
--- a/sys/kern/kern_cpuset.c
+++ b/sys/kern/kern_cpuset.c
@@ -805,7 +805,7 @@ cpuset_getaffinity(struct thread *td, struct cpuset_getaffinity_args *uap)
 	size_t size;
 
 	if (uap->cpusetsize < sizeof(cpuset_t) ||
-	    uap->cpusetsize * NBBY > CPU_MAXSIZE)
+	    uap->cpusetsize > CPU_MAXSIZE / NBBY)
 		return (ERANGE);
 	size = uap->cpusetsize;
 	mask = malloc(size, M_TEMP, M_WAITOK | M_ZERO);
@@ -892,7 +892,7 @@ cpuset_setaffinity(struct thread *td, struct cpuset_setaffinity_args *uap)
 	int error;
 
 	if (uap->cpusetsize < sizeof(cpuset_t) ||
-	    uap->cpusetsize * NBBY > CPU_MAXSIZE)
+	    uap->cpusetsize > CPU_MAXSIZE / NBBY)
 		return (ERANGE);
 	mask = malloc(uap->cpusetsize, M_TEMP, M_WAITOK | M_ZERO);
 	error = copyin(uap->mask, mask, uap->cpusetsize);