| From afd861c0bd473bcd285e4d1467428e8b0c2d2433 Mon Sep 17 00:00:00 2001 |
| From: David S. Miller <davem@davemloft.net> |
| Date: Fri, 6 Feb 2009 00:49:55 -0800 |
| Subject: ipv6: Disallow rediculious flowlabel option sizes. |
| |
| From: David S. Miller <davem@davemloft.net> |
| |
| [ Upstream commit 684de409acff8b1fe8bf188d75ff2f99c624387d ] |
| |
| Just like PKTINFO, limit the options area to 64K. |
| |
| Based upon report by Eric Sesterhenn and analysis by |
| Roland Dreier. |
| |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/ipv6/ip6_flowlabel.c | 8 ++++++-- |
| 1 file changed, 6 insertions(+), 2 deletions(-) |
| |
| --- a/net/ipv6/ip6_flowlabel.c |
| +++ b/net/ipv6/ip6_flowlabel.c |
| @@ -323,17 +323,21 @@ static struct ip6_flowlabel * |
| fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval, |
| int optlen, int *err_p) |
| { |
| - struct ip6_flowlabel *fl; |
| + struct ip6_flowlabel *fl = NULL; |
| int olen; |
| int addr_type; |
| int err; |
| |
| + olen = optlen - CMSG_ALIGN(sizeof(*freq)); |
| + err = -EINVAL; |
| + if (olen > 64 * 1024) |
| + goto done; |
| + |
| err = -ENOMEM; |
| fl = kzalloc(sizeof(*fl), GFP_KERNEL); |
| if (fl == NULL) |
| goto done; |
| |
| - olen = optlen - CMSG_ALIGN(sizeof(*freq)); |
| if (olen > 0) { |
| struct msghdr msg; |
| struct flowi flowi; |