[DCCP] getsockopt: Fix DCCP_SOCKOPT_[SEND,RECV]_CSCOV

We were only checking if there was enough space to put the int, but left len as specified by the (malicious) user, sigh, fix it by setting len to sizeof(val) and transfering just one int worth of data, the one asked for. Also check for negative len values. Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by: David S. Miller <davem@davemloft.net>

[DCCP] getsockopt: Fix DCCP_SOCKOPT_[SEND,RECV]_CSCOV
We were only checking if there was enough space to put the int, but left len as specified by the (malicious) user, sigh, fix it by setting len to sizeof(val) and transfering just one int worth of data, the one asked for. Also check for negative len values. Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by: David S. Miller <davem@davemloft.net>
39ebc027 · Arnaldo Carvalho de Melo · David S. Miller · 53aadcc9 · 39ebc027
Commit 39ebc027 authored Mar 28, 2007 by Arnaldo Carvalho de Melo Committed by David S. Miller Mar 28, 2007
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

net/dccp/proto.c net/dccp/proto.c +3 -1

No files found.
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -575,7 +575,7 @@ static int do_dccp_getsockopt(struct sock *sk, int level, int optname,
 	if (get_user(len, optlen))
 		return -EFAULT;

-	if (len < sizeof(int))
+	if (len < (int)sizeof(int))
 		return -EINVAL;

 	dp = dccp_sk(sk);
@@ -589,9 +589,11 @@ static int do_dccp_getsockopt(struct sock *sk, int level, int optname,
 					       (__be32 __user *)optval, optlen);
 	case DCCP_SOCKOPT_SEND_CSCOV:
 		val = dp->dccps_pcslen;
+		len = sizeof(val);
 		break;
 	case DCCP_SOCKOPT_RECV_CSCOV:
 		val = dp->dccps_pcrlen;
+		len = sizeof(val);
 		break;
 	case 128 ... 191:
 		return ccid_hc_rx_getsockopt(dp->dccps_hc_rx_ccid, sk, optname,