aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4/ip_sockglue.c
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2008-04-10 04:29:36 -0400
committerDavid S. Miller <davem@davemloft.net>2008-04-10 04:29:36 -0400
commit951e07c930f5f66b676eaa4c32a1b0d8e2d7d06a (patch)
treedbbecc7be4c616d47586ef0ff6a552c110bcb8d5 /net/ipv4/ip_sockglue.c
parent619c714c1d6e4dff00ddde582d78492fd95452d6 (diff)
[IPV4]: Fix byte value boundary check in do_ip_getsockopt().
This fixes kernel bugzilla 10371. As reported by M.Piechaczek@osmosys.tv, if we try to grab a char sized socket option value, as in: unsigned char ttl = 255; socklen_t len = sizeof(ttl); setsockopt(socket, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, &len); getsockopt(socket, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, &len); The ttl returned will be wrong on big-endian, and on both little- endian and big-endian the next three bytes in userspace are written with garbage. It's because of this test in do_ip_getsockopt(): if (len < sizeof(int) && len > 0 && val>=0 && val<255) { It should allow a 'val' of 255 to pass here, but it doesn't so it copies a full 'int' back to userspace. On little-endian that will write the correct value into the location but it spams on the next three bytes in userspace. On big endian it writes the wrong value into the location and spams the next three bytes. Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/ip_sockglue.c')
-rw-r--r--net/ipv4/ip_sockglue.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index f72457b4b0a7..c2921d01e925 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -1132,7 +1132,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
1132 } 1132 }
1133 release_sock(sk); 1133 release_sock(sk);
1134 1134
1135 if (len < sizeof(int) && len > 0 && val>=0 && val<255) { 1135 if (len < sizeof(int) && len > 0 && val>=0 && val<=255) {
1136 unsigned char ucval = (unsigned char)val; 1136 unsigned char ucval = (unsigned char)val;
1137 len = 1; 1137 len = 1;
1138 if (put_user(len, optlen)) 1138 if (put_user(len, optlen))