Index: uipc_socket2.c
===================================================================
RCS file: /cvs/src/sys/kern/uipc_socket2.c,v
retrieving revision 1.100
diff -u -p -r1.100 uipc_socket2.c
--- uipc_socket2.c	15 Feb 2019 05:55:21 -0000	1.100
+++ uipc_socket2.c	15 Feb 2019 05:59:39 -0000
@@ -1022,10 +1022,12 @@ sbdroprecord(struct sockbuf *sb)
 struct mbuf *
 sbcreatecontrol(const void *p, size_t size, int type, int level)
 {
+	size_t space;
 	struct cmsghdr *cp;
 	struct mbuf *m;
 
-	if (CMSG_SPACE(size) > MCLBYTES) {
+	space = CMSG_SPACE(size);
+	if (space < size || space > MCLBYTES) {
 		printf("sbcreatecontrol: message too large %zu\n", size);
 		return (NULL);
 	}