aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArnaldo Carvalho de Melo <acme@ghostprotocols.net>2007-03-29 11:57:36 -0700
committerGreg Kroah-Hartman <gregkh@suse.de>2007-04-06 03:43:13 -0700
commit4eb3dd593742225da375596564aca6aca2470999 (patch)
tree0029cede1551a4fe889ded312c9fffb7707aa2a3
parent6fcc93a729a1830abfee7ce3065a4dd750c1c6b1 (diff)
downloadlinux-linaro-stable-4eb3dd593742225da375596564aca6aca2470999.tar.gz
DCCP: Fix exploitable hole in DCCP socket options
[DCCP] getsockopt: Fix DCCP_SOCKOPT_[SEND,RECV]_CSCOV We were only checking if there was enough space to put the int, but left len as specified by the (malicious) user, sigh, fix it by setting len to sizeof(val) and transfering just one int worth of data, the one asked for. Also check for negative len values. Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--net/dccp/proto.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index 63b3fa20e14b..88ed359b606c 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -575,7 +575,7 @@ static int do_dccp_getsockopt(struct sock *sk, int level, int optname,
if (get_user(len, optlen))
return -EFAULT;
- if (len < sizeof(int))
+ if (len < (int)sizeof(int))
return -EINVAL;
dp = dccp_sk(sk);
@@ -589,9 +589,11 @@ static int do_dccp_getsockopt(struct sock *sk, int level, int optname,
(__be32 __user *)optval, optlen);
case DCCP_SOCKOPT_SEND_CSCOV:
val = dp->dccps_pcslen;
+ len = sizeof(val);
break;
case DCCP_SOCKOPT_RECV_CSCOV:
val = dp->dccps_pcrlen;
+ len = sizeof(val);
break;
case 128 ... 191:
return ccid_hc_rx_getsockopt(dp->dccps_hc_rx_ccid, sk, optname,