From: Wang Chen Date: Mon, 7 Apr 2008 01:42:07 +0000 (+0800) Subject: [IPV6]: Check length of optval provided by user in setsockopt(). X-Git-Tag: v2.6.26-rc1~1138^2~123^2~4 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a28398ba6112be28c6a92aacf06aca1979b454b7;p=linux-2.6 [IPV6]: Check length of optval provided by user in setsockopt(). Check length of setsockopt's optval, which provided by user, before copy it from user space. For POSIX compliant, return -EINVAL for setsockopt of short lengths. Signed-off-by: Wang Chen Signed-off-by: YOSHIFUJI Hideaki --- diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index bf96953752..bd3fb129b3 100644 --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c @@ -449,6 +449,9 @@ done: { struct ipv6_mreq mreq; + if (optlen < sizeof(struct ipv6_mreq)) + goto e_inval; + retv = -EPROTO; if (inet_sk(sk)->is_icsk) break; @@ -468,7 +471,7 @@ done: { struct ipv6_mreq mreq; - if (optlen != sizeof(struct ipv6_mreq)) + if (optlen < sizeof(struct ipv6_mreq)) goto e_inval; retv = -EFAULT; @@ -487,6 +490,9 @@ done: struct group_req greq; struct sockaddr_in6 *psin6; + if (optlen < sizeof(struct group_req)) + goto e_inval; + retv = -EFAULT; if (copy_from_user(&greq, optval, sizeof(struct group_req))) break; @@ -511,7 +517,7 @@ done: struct group_source_req greqs; int omode, add; - if (optlen != sizeof(struct group_source_req)) + if (optlen < sizeof(struct group_source_req)) goto e_inval; if (copy_from_user(&greqs, optval, sizeof(greqs))) { retv = -EFAULT;