aboutsummaryrefslogtreecommitdiffstats
path: root/net/dccp
diff options
context:
space:
mode:
authorArnaldo Carvalho de Melo <acme@ghostprotocols.net>2007-03-28 14:54:32 -0400
committerDavid S. Miller <davem@davemloft.net>2007-03-28 14:54:32 -0400
commit39ebc0276bada8bb70e067cb6d0eb71839c0fb08 (patch)
treea6afca93101b9142523d6814db12ec09d73e58ef /net/dccp
parent53aadcc90931dfa150f76ce9a5f9e8f3e43d57df (diff)
[DCCP] getsockopt: Fix DCCP_SOCKOPT_[SEND,RECV]_CSCOV
We were only checking if there was enough space to put the int, but left len as specified by the (malicious) user, sigh, fix it by setting len to sizeof(val) and transfering just one int worth of data, the one asked for. Also check for negative len values. Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/dccp')
-rw-r--r--net/dccp/proto.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index cf28c53a389a..6607b7b14f34 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -575,7 +575,7 @@ static int do_dccp_getsockopt(struct sock *sk, int level, int optname,
575 if (get_user(len, optlen)) 575 if (get_user(len, optlen))
576 return -EFAULT; 576 return -EFAULT;
577 577
578 if (len < sizeof(int)) 578 if (len < (int)sizeof(int))
579 return -EINVAL; 579 return -EINVAL;
580 580
581 dp = dccp_sk(sk); 581 dp = dccp_sk(sk);
@@ -589,9 +589,11 @@ static int do_dccp_getsockopt(struct sock *sk, int level, int optname,
589 (__be32 __user *)optval, optlen); 589 (__be32 __user *)optval, optlen);
590 case DCCP_SOCKOPT_SEND_CSCOV: 590 case DCCP_SOCKOPT_SEND_CSCOV:
591 val = dp->dccps_pcslen; 591 val = dp->dccps_pcslen;
592 len = sizeof(val);
592 break; 593 break;
593 case DCCP_SOCKOPT_RECV_CSCOV: 594 case DCCP_SOCKOPT_RECV_CSCOV:
594 val = dp->dccps_pcrlen; 595 val = dp->dccps_pcrlen;
596 len = sizeof(val);
595 break; 597 break;
596 case 128 ... 191: 598 case 128 ... 191:
597 return ccid_hc_rx_getsockopt(dp->dccps_hc_rx_ccid, sk, optname, 599 return ccid_hc_rx_getsockopt(dp->dccps_hc_rx_ccid, sk, optname,