diff mbox

[BUG] icmpv6fuzz creates bad paging request

Message ID 20090102085943.GA25100@gondor.apana.org.au
State Superseded, archived
Delegated to: David Miller
Headers show

Commit Message

Herbert Xu Jan. 2, 2009, 8:59 a.m. UTC 
On Thu, Jan 01, 2009 at 08:13:04PM +0000, Eric Sesterhenn wrote:
> 
> running "icmpv6fuzz -r 2187" gives me the following oops with current -git

Thanks, this should fix it:

ipv6: Fix memory overrun in do_ipv6_setsockopt

The newly added IPV6_PKTINFO option uses the user-supplied length
without checking, thus overwriting kernel stack memory if a bogus
value is provided.

This patch fixes it by capping the size to that of struct in6_pktinfo.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

Thanks,
diff mbox

Patch

diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index eeeaad2..0df4b10 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -399,15 +399,13 @@  sticky_done:
 	{
 		struct in6_pktinfo pkt;
 
-		if (optlen == 0)
-			goto e_inval;
-		else if (optlen < sizeof(struct in6_pktinfo) || optval == NULL)
+		if (optlen < sizeof(pkt))
 			goto e_inval;
 
-		if (copy_from_user(&pkt, optval, optlen)) {
-				retv = -EFAULT;
-				break;
-		}
+		retv = -EFAULT;
+		if (copy_from_user(&pkt, optval, sizeof(pkt)))
+			break;
+
 		if (sk->sk_bound_dev_if && pkt.ipi6_ifindex != sk->sk_bound_dev_if)
 			goto e_inval;