From patchwork Tue Nov 11 22:11:43 2008
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Brian Haley <brian.haley@hp.com>
X-Patchwork-Id: 8202
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.176.167])
	by ozlabs.org (Postfix) with ESMTP id 28B35DDDF3
	for <patchwork-incoming@ozlabs.org>;
	Wed, 12 Nov 2008 09:12:15 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751472AbYKKWMK (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Tue, 11 Nov 2008 17:12:10 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751409AbYKKWMI
	(ORCPT <rfc822; netdev-outgoing>); Tue, 11 Nov 2008 17:12:08 -0500
Received: from g1t0029.austin.hp.com ([15.216.28.36]:4618 "EHLO
	g1t0029.austin.hp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751006AbYKKWMI (ORCPT
	<rfc822;netdev@vger.kernel.org>); Tue, 11 Nov 2008 17:12:08 -0500
Received: from g5t0029.atlanta.hp.com (g5t0029.atlanta.hp.com [16.228.8.141])
	by g1t0029.austin.hp.com (Postfix) with ESMTP id BBC4F38482;
	Tue, 11 Nov 2008 22:12:05 +0000 (UTC)
Received: from [192.168.1.101] (squirrel.fc.hp.com [15.11.146.57])
	by g5t0029.atlanta.hp.com (Postfix) with ESMTP id D0AE910129;
	Tue, 11 Nov 2008 22:11:44 +0000 (UTC)
Message-ID: <491A031F.40901@hp.com>
Date: Tue, 11 Nov 2008 17:11:43 -0500
From: Brian Haley <brian.haley@hp.com>
Organization: Open Source and Linux Organization
User-Agent: Thunderbird 2.0.0.17 (X11/20080925)
MIME-Version: 1.0
To: David Miller <davem@davemloft.net>
CC: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
	Shan Wei <shanwei@cn.fujitsu.com>
Subject: [PATCH] ipv6: routing header fixes
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

This patch fixes two bugs:

1. setsockopt() of anything but a Type 2 routing header should return 
EINVAL instead of EPERM.  Noticed by Shan Wei (shanwei@cn.fujitsu.com).

2. setsockopt()/sendmsg() of a Type 2 routing header with invalid length 
or segments should return EINVAL.  These values are statically fixed in 
RFC 3775, unlike the variable Type 0 was.

Signed-off-by: Brian Haley <brian.haley@hp.com>

diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 410046a..e44deb8 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -661,6 +661,11 @@ int datagram_send_ctl(struct net *net,
 			switch (rthdr->type) {
 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
 			case IPV6_SRCRT_TYPE_2:
+				if (rthdr->hdrlen != 2 ||
+				    rthdr->segments_left != 1) {
+					err = -EINVAL;
+					goto exit_f;
+				}
 				break;
 #endif
 			default:
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 4e5eac3..2aa294b 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -366,11 +366,16 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
 		}
 
 		/* routing header option needs extra check */
+		retv = -EINVAL;
 		if (optname == IPV6_RTHDR && opt && opt->srcrt) {
 			struct ipv6_rt_hdr *rthdr = opt->srcrt;
 			switch (rthdr->type) {
 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
 			case IPV6_SRCRT_TYPE_2:
+				if (rthdr->hdrlen != 2 ||
+				    rthdr->segments_left != 1)
+					goto sticky_done;
+
 				break;
 #endif
 			default: