Index: sys/kern/uipc_socket.c
===================================================================
--- sys/kern/uipc_socket.c
+++ sys/kern/uipc_socket.c
@@ -2558,6 +2558,10 @@
 		case SO_NOSIGPIPE:
 		case SO_NO_DDP:
 		case SO_NO_OFFLOAD:
+			if (sopt->sopt_valsize != sizeof(optval)) {
+				error = EINVAL;
+				goto bad;
+			}
 			error = sooptcopyin(sopt, &optval, sizeof optval,
 			    sizeof optval);
 			if (error)
@@ -2571,6 +2575,10 @@
 			break;
 
 		case SO_SETFIB:
+			if (sopt->sopt_valsize != sizeof(optval)) {
+				error = EINVAL;
+				goto bad;
+			}
 			error = sooptcopyin(sopt, &optval, sizeof optval,
 			    sizeof optval);
 			if (error)
@@ -2589,6 +2597,10 @@
 			break;
 
 		case SO_USER_COOKIE:
+			if (sopt->sopt_valsize != sizeof(val32)) {
+				error = EINVAL;
+				goto bad;
+			}
 			error = sooptcopyin(sopt, &val32, sizeof val32,
 			    sizeof val32);
 			if (error)
@@ -2600,6 +2612,10 @@
 		case SO_RCVBUF:
 		case SO_SNDLOWAT:
 		case SO_RCVLOWAT:
+			if (sopt->sopt_valsize != sizeof(optval)) {
+				error = EINVAL;
+				goto bad;
+			}
 			error = sooptcopyin(sopt, &optval, sizeof optval,
 			    sizeof optval);
 			if (error)
@@ -2654,14 +2670,24 @@
 			if (SV_CURPROC_FLAG(SV_ILP32)) {
 				struct timeval32 tv32;
 
+				if (sopt->sopt_valsize != sizeof(tv32)) {
+					error = EINVAL;
+					goto bad;
+				}
 				error = sooptcopyin(sopt, &tv32, sizeof tv32,
 				    sizeof tv32);
 				CP(tv32, tv, tv_sec);
 				CP(tv32, tv, tv_usec);
 			} else
 #endif
+			{
+				if (sopt->sopt_valsize != sizeof(tv32)) {
+					error = EINVAL;
+					goto bad;
+				}
 				error = sooptcopyin(sopt, &tv, sizeof tv,
 				    sizeof tv);
+			}
 			if (error)
 				goto bad;
 			if (tv.tv_sec < 0 || tv.tv_usec < 0 ||
@@ -2685,6 +2711,10 @@
 
 		case SO_LABEL:
 #ifdef MAC
+			if (sopt->sopt_valsize != sizeof(extmac)) {
+				error = EINVAL;
+				goto bad;
+			}
 			error = sooptcopyin(sopt, &extmac, sizeof extmac,
 			    sizeof extmac);
 			if (error)
@@ -2697,6 +2727,10 @@
 			break;
 
 		case SO_TS_CLOCK:
+			if (sopt->sopt_valsize != sizeof(optval)) {
+				error = EINVAL;
+				goto bad;
+			}
 			error = sooptcopyin(sopt, &optval, sizeof optval,
 			    sizeof optval);
 			if (error)
@@ -2709,6 +2743,10 @@
 			break;
 
 		case SO_MAX_PACING_RATE:
+			if (sopt->sopt_valsize != sizeof(val32)) {
+				error = EINVAL;
+				goto bad;
+			}
 			error = sooptcopyin(sopt, &val32, sizeof(val32),
 			    sizeof(val32));
 			if (error)