Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > by-pkgid > 27922b4260f65d317aabda37e42bbbff > files > 2765

kernel-2.6.18-238.el5.src.rpm

From: Jiri Pirko <jpirko@redhat.com>
Date: Tue, 10 Mar 2009 10:58:28 +0100
Subject: [net] ipv6: check hop limit setting in ancillary data
Message-id: 20090310095827.GI3468@psychotron.englab.brq.redhat.com
O-Subject: [RHEL5.4 patch] BZ487406 net: ipv6: Check the hop limit setting in ancillary data.
Bugzilla: 487406
RH-Acked-by: Neil Horman <nhorman@redhat.com>

BZ487406
https://bugzilla.redhat.com/show_bug.cgi?id=487406

Description:
When specifing the outgoing hop limit as ancillary data for sendmsg(),
the kernel doesn't check the integer hop limit value as specified in
[RFC-3542] section 6.3.

Upstream:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e8766fc86b34d44a8c55a2f9d71da69e091b1ca4

Brew:
https://brewweb.devel.redhat.com/taskinfo?taskID=1719980

Test:
Booted on x86_64 and tested with reproducer.

Note:
To apply without a hunk, you should apply patch for BZ486215 first.

Jirka

diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index dc01dff..6f99322 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -695,6 +695,11 @@ int datagram_send_ctl(struct msghdr *msg, struct flowi *fl,
 			}
 
 			*hlimit = *(int *)CMSG_DATA(cmsg);
+			if (*hlimit < -1 || *hlimit > 0xff) {
+				err = -EINVAL;
+				goto exit_f;
+			}
+
 			break;
 
 		case IPV6_TCLASS: