aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv6/raw.c
diff options
context:
space:
mode:
authorMark J Cox <mjc@redhat.com>2005-09-19 20:55:30 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2005-09-19 21:45:42 -0400
commit6d1cfe3f1752f17e297df60c8bcc6cd6e0a58449 (patch)
tree458323fe234aef3e5b96abf153feec48fe8a84df /net/ipv6/raw.c
parent997a51ae373df6484cdd4a5fc61a9c9bec82cd68 (diff)
[PATCH] raw_sendmsg DoS on 2.6
Fix unchecked __get_user that could be tricked into generating a memory read on an arbitrary address. The result of the read is not returned directly but you may be able to divine some information about it, or use the read to cause a crash on some architectures by reading hardware state. CAN-2004-2492. Fix from Al Viro, ack from Dave Miller. Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'net/ipv6/raw.c')
-rw-r--r--net/ipv6/raw.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 5aa3691c578d..a1265a320b11 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -627,7 +627,7 @@ static void rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
627 627
628 if (type && code) { 628 if (type && code) {
629 get_user(fl->fl_icmp_type, type); 629 get_user(fl->fl_icmp_type, type);
630 __get_user(fl->fl_icmp_code, code); 630 get_user(fl->fl_icmp_code, code);
631 probed = 1; 631 probed = 1;
632 } 632 }
633 break; 633 break;