Commit 4eb3dd59 authored by Arnaldo Carvalho de Melo's avatar Arnaldo Carvalho de Melo Committed by Greg Kroah-Hartman

DCCP: Fix exploitable hole in DCCP socket options

[DCCP] getsockopt: Fix DCCP_SOCKOPT_[SEND,RECV]_CSCOV

We were only checking if there was enough space to put the int, but
left len as specified by the (malicious) user, sigh, fix it by setting
len to sizeof(val) and transfering just one int worth of data, the one
asked for.

Also check for negative len values.
Signed-off-by: default avatarArnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 6fcc93a7
...@@ -575,7 +575,7 @@ static int do_dccp_getsockopt(struct sock *sk, int level, int optname, ...@@ -575,7 +575,7 @@ static int do_dccp_getsockopt(struct sock *sk, int level, int optname,
if (get_user(len, optlen)) if (get_user(len, optlen))
return -EFAULT; return -EFAULT;
if (len < sizeof(int)) if (len < (int)sizeof(int))
return -EINVAL; return -EINVAL;
dp = dccp_sk(sk); dp = dccp_sk(sk);
...@@ -589,9 +589,11 @@ static int do_dccp_getsockopt(struct sock *sk, int level, int optname, ...@@ -589,9 +589,11 @@ static int do_dccp_getsockopt(struct sock *sk, int level, int optname,
(__be32 __user *)optval, optlen); (__be32 __user *)optval, optlen);
case DCCP_SOCKOPT_SEND_CSCOV: case DCCP_SOCKOPT_SEND_CSCOV:
val = dp->dccps_pcslen; val = dp->dccps_pcslen;
len = sizeof(val);
break; break;
case DCCP_SOCKOPT_RECV_CSCOV: case DCCP_SOCKOPT_RECV_CSCOV:
val = dp->dccps_pcrlen; val = dp->dccps_pcrlen;
len = sizeof(val);
break; break;
case 128 ... 191: case 128 ... 191:
return ccid_hc_rx_getsockopt(dp->dccps_hc_rx_ccid, sk, optname, return ccid_hc_rx_getsockopt(dp->dccps_hc_rx_ccid, sk, optname,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment