dccp: change L/R must have at least one byte in the dccpsf_val field

Thanks to Eugene Teo for reporting this problem.

Signed-off-by: Eugene Teo <eugenete@kernel.sg>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index b622d9744856a9e8320f812cb9e9d85699f1a6a0..1ca3b26eed0fb09c479d4e513efd2d185c69bcc0 100644 (file)
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -474,6 +474,11 @@ static int dccp_setsockopt_change(struct sock *sk, int type,
 
        if (copy_from_user(&opt, optval, sizeof(opt)))
                return -EFAULT;
+       /*
+        * rfc4340: 6.1. Change Options
+        */
+       if (opt.dccpsf_len < 1)
+               return -EINVAL;
 
        val = kmalloc(opt.dccpsf_len, GFP_KERNEL);
        if (!val)