Commit 4c9ef074 authored by David S. Miller's avatar David S. Miller Committed by Greg Kroah-Hartman

IPV6: Handle np->opt being NULL in ipv6_getsockopt_sticky() [CVE-2007-1000]

This fixes http://bugzilla.kernel.org/show_bug.cgi?id=8134Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarChris Wright <chrisw@sous-sol.org>
parent 3baa43fd
...@@ -796,11 +796,15 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname, ...@@ -796,11 +796,15 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname,
EXPORT_SYMBOL(compat_ipv6_setsockopt); EXPORT_SYMBOL(compat_ipv6_setsockopt);
#endif #endif
static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_opt_hdr *hdr, static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt,
char __user *optval, int len) char __user *optval, int len)
{ {
if (!hdr) struct ipv6_opt_hdr *hdr;
if (!opt || !opt->hopopt)
return 0; return 0;
hdr = opt->hopopt;
len = min_t(int, len, ipv6_optlen(hdr)); len = min_t(int, len, ipv6_optlen(hdr));
if (copy_to_user(optval, hdr, ipv6_optlen(hdr))) if (copy_to_user(optval, hdr, ipv6_optlen(hdr)))
return -EFAULT; return -EFAULT;
...@@ -941,7 +945,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname, ...@@ -941,7 +945,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
{ {
lock_sock(sk); lock_sock(sk);
len = ipv6_getsockopt_sticky(sk, np->opt->hopopt, len = ipv6_getsockopt_sticky(sk, np->opt,
optval, len); optval, len);
release_sock(sk); release_sock(sk);
return put_user(len, optlen); return put_user(len, optlen);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment