diff options
author | David S. Miller <davem@davemloft.net> | 2009-02-06 03:49:55 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-02-06 03:49:55 -0500 |
commit | 684de409acff8b1fe8bf188d75ff2f99c624387d (patch) | |
tree | f8792653579a6a6a88634c7d73e794943c3a38d4 | |
parent | a23f4bbd8d27ac8ddc5d71ace1f91bb503f0469a (diff) |
ipv6: Disallow rediculious flowlabel option sizes.
Just like PKTINFO, limit the options area to 64K.
Based upon report by Eric Sesterhenn and analysis by
Roland Dreier.
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv6/ip6_flowlabel.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c index c62dd247774f..7712578bdc66 100644 --- a/net/ipv6/ip6_flowlabel.c +++ b/net/ipv6/ip6_flowlabel.c | |||
@@ -323,17 +323,21 @@ static struct ip6_flowlabel * | |||
323 | fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval, | 323 | fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval, |
324 | int optlen, int *err_p) | 324 | int optlen, int *err_p) |
325 | { | 325 | { |
326 | struct ip6_flowlabel *fl; | 326 | struct ip6_flowlabel *fl = NULL; |
327 | int olen; | 327 | int olen; |
328 | int addr_type; | 328 | int addr_type; |
329 | int err; | 329 | int err; |
330 | 330 | ||
331 | olen = optlen - CMSG_ALIGN(sizeof(*freq)); | ||
332 | err = -EINVAL; | ||
333 | if (olen > 64 * 1024) | ||
334 | goto done; | ||
335 | |||
331 | err = -ENOMEM; | 336 | err = -ENOMEM; |
332 | fl = kzalloc(sizeof(*fl), GFP_KERNEL); | 337 | fl = kzalloc(sizeof(*fl), GFP_KERNEL); |
333 | if (fl == NULL) | 338 | if (fl == NULL) |
334 | goto done; | 339 | goto done; |
335 | 340 | ||
336 | olen = optlen - CMSG_ALIGN(sizeof(*freq)); | ||
337 | if (olen > 0) { | 341 | if (olen > 0) { |
338 | struct msghdr msg; | 342 | struct msghdr msg; |
339 | struct flowi flowi; | 343 | struct flowi flowi; |