Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=39ebc0276bada8bb70e067cb6d0eb71839c0fb08
Commit:     39ebc0276bada8bb70e067cb6d0eb71839c0fb08
Parent:     53aadcc90931dfa150f76ce9a5f9e8f3e43d57df
Author:     Arnaldo Carvalho de Melo <[EMAIL PROTECTED]>
AuthorDate: Wed Mar 28 11:54:32 2007 -0700
Committer:  David S. Miller <[EMAIL PROTECTED]>
CommitDate: Wed Mar 28 11:54:32 2007 -0700

    [DCCP] getsockopt: Fix DCCP_SOCKOPT_[SEND,RECV]_CSCOV
    
    We were only checking if there was enough space to put the int, but
    left len as specified by the (malicious) user, sigh, fix it by setting
    len to sizeof(val) and transfering just one int worth of data, the one
    asked for.
    
    Also check for negative len values.
    
    Signed-off-by: Arnaldo Carvalho de Melo <[EMAIL PROTECTED]>
    Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
---
 net/dccp/proto.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index cf28c53..6607b7b 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -575,7 +575,7 @@ static int do_dccp_getsockopt(struct sock *sk, int level, 
int optname,
        if (get_user(len, optlen))
                return -EFAULT;
 
-       if (len < sizeof(int))
+       if (len < (int)sizeof(int))
                return -EINVAL;
 
        dp = dccp_sk(sk);
@@ -589,9 +589,11 @@ static int do_dccp_getsockopt(struct sock *sk, int level, 
int optname,
                                               (__be32 __user *)optval, optlen);
        case DCCP_SOCKOPT_SEND_CSCOV:
                val = dp->dccps_pcslen;
+               len = sizeof(val);
                break;
        case DCCP_SOCKOPT_RECV_CSCOV:
                val = dp->dccps_pcrlen;
+               len = sizeof(val);
                break;
        case 128 ... 191:
                return ccid_hc_rx_getsockopt(dp->dccps_hc_rx_ccid, sk, optname,
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to