aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArnaldo Carvalho de Melo <acme@ghostprotocols.net>2007-03-28 11:54:32 -0700
committerDavid S. Miller <davem@davemloft.net>2007-03-28 11:54:32 -0700
commit39ebc0276bada8bb70e067cb6d0eb71839c0fb08 (patch)
treea6afca93101b9142523d6814db12ec09d73e58ef
parent53aadcc90931dfa150f76ce9a5f9e8f3e43d57df (diff)
[DCCP] getsockopt: Fix DCCP_SOCKOPT_[SEND,RECV]_CSCOV
We were only checking if there was enough space to put the int, but left len as specified by the (malicious) user, sigh, fix it by setting len to sizeof(val) and transfering just one int worth of data, the one asked for. Also check for negative len values. Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/dccp/proto.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index cf28c53a389..6607b7b14f3 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -575,7 +575,7 @@ static int do_dccp_getsockopt(struct sock *sk, int level, int optname,
if (get_user(len, optlen))
return -EFAULT;
- if (len < sizeof(int))
+ if (len < (int)sizeof(int))
return -EINVAL;
dp = dccp_sk(sk);
@@ -589,9 +589,11 @@ static int do_dccp_getsockopt(struct sock *sk, int level, int optname,
(__be32 __user *)optval, optlen);
case DCCP_SOCKOPT_SEND_CSCOV:
val = dp->dccps_pcslen;
+ len = sizeof(val);
break;
case DCCP_SOCKOPT_RECV_CSCOV:
val = dp->dccps_pcrlen;
+ len = sizeof(val);
break;
case 128 ... 191:
return ccid_hc_rx_getsockopt(dp->dccps_hc_rx_ccid, sk, optname,