Kaynağa Gözat

dccp: change L/R must have at least one byte in the dccpsf_val field

Thanks to Eugene Teo for reporting this problem.

Signed-off-by: Eugene Teo <eugenete@kernel.sg>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>

Arnaldo Carvalho de Melo 17 yıl önce
ebeveyn
işleme
3e8a0a559c
1 değiştirilmiş dosya ile 5 ekleme ve 0 silme
  1. 5 0
      net/dccp/proto.c

+ 5 - 0
net/dccp/proto.c

@@ -474,6 +474,11 @@ static int dccp_setsockopt_change(struct sock *sk, int type,
 
 	if (copy_from_user(&opt, optval, sizeof(opt)))
 		return -EFAULT;
+	/*
+	 * rfc4340: 6.1. Change Options
+	 */
+	if (opt.dccpsf_len < 1)
+		return -EINVAL;
 
 	val = kmalloc(opt.dccpsf_len, GFP_KERNEL);
 	if (!val)