[IGMP/MLD]: Check for numsrc overflow, plus temp buffer tweaks.

author David Stevens <dlstevens@us.ibm.com>

Tue, 24 Feb 2004 16:24:37 +0000 (08:24 -0800)

committer Patrick McHardy <kaber@trash.net>

Tue, 24 Feb 2004 16:24:37 +0000 (08:24 -0800)
author David Stevens <dlstevens@us.ibm.com>
Tue, 24 Feb 2004 16:24:37 +0000 (08:24 -0800)
committer Patrick McHardy <kaber@trash.net>
Tue, 24 Feb 2004 16:24:37 +0000 (08:24 -0800)
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c

index ec46daa8cabac910a6ae7f1f866a22c49bac0f1b..d8f9eafe590fedc198c1e9f9188d1add43794596 100644 (file)
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -617,10 +617,15 @@ int ip_setsockopt(struct sock *sk, int level, int optname, char *optval, int opt
                 }
                 case IP_MSFILTER:
                 {
+                       extern int sysctl_optmem_max;
                         struct ip_msfilter *msf;
  
                         if (optlen < IP_MSFILTER_SIZE(0))
                                 goto e_inval;
+                       if (optlen > sysctl_optmem_max) {
+                               err = -ENOBUFS;
+                               break;
+                       }
                         msf = (struct ip_msfilter *)kmalloc(optlen, GFP_KERNEL);
                         if (msf == 0) {
                                 err = -ENOBUFS;
@@ -631,7 +636,9 @@ int ip_setsockopt(struct sock *sk, int level, int optname, char *optval, int opt
                                 kfree(msf);
                                 break;
                         }
-                       if (IP_MSFILTER_SIZE(msf->imsf_numsrc) > optlen) {
+                       if (IP_MSFILTER_SIZE(msf->imsf_numsrc) < 
+                           IP_MSFILTER_SIZE(0) ||
+                           IP_MSFILTER_SIZE(msf->imsf_numsrc) > optlen) {
                                 kfree(msf);
                                 err = -EINVAL;
                                 break;
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c

index 320c185f8cf5353c016ae7d796313958a1c95f58..1b28ffcefc4e85b73e7b76bdcd297dffd0f7e211 100644 (file)
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -436,10 +436,15 @@ done:
         }
         case MCAST_MSFILTER:
         {
+               extern int sysctl_optmem_max;
                 struct group_filter *gsf;
  
                 if (optlen < GROUP_FILTER_SIZE(0))
                         goto e_inval;
+               if (optlen > sysctl_optmem_max) {
+                       retv = -ENOBUFS;
+                       break;
+               }
                 gsf = (struct group_filter *)kmalloc(optlen,GFP_KERNEL);
                 if (gsf == 0) {
                         retv = -ENOBUFS;
@@ -450,7 +455,8 @@ done:
                         kfree(gsf);
                         break;
                 }
-               if (GROUP_FILTER_SIZE(gsf->gf_numsrc) > optlen) {
+               if (GROUP_FILTER_SIZE(gsf->gf_numsrc) < GROUP_FILTER_SIZE(0) ||
+                   GROUP_FILTER_SIZE(gsf->gf_numsrc) > optlen) {
                         kfree(gsf);
                         retv = -EINVAL;
                         break;
author	David Stevens <dlstevens@us.ibm.com>
	Tue, 24 Feb 2004 16:24:37 +0000 (08:24 -0800)
committer	Patrick McHardy <kaber@trash.net>
	Tue, 24 Feb 2004 16:24:37 +0000 (08:24 -0800)
net/ipv4/ip_sockglue.c		patch \| blob \| history
net/ipv6/ipv6_sockglue.c		patch \| blob \| history