ipv6: Check the hop limit setting in ancillary data.
authorShan Wei <shanwei@cn.fujitsu.com>
Tue, 10 Jun 2008 07:50:55 +0000 (15:50 +0800)
committerYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Thu, 12 Jun 2008 00:19:08 +0000 (09:19 +0900)
When specifing the outgoing hop limit as ancillary data for sendmsg(),
the kernel doesn't check the integer hop limit value as specified in
[RFC-3542] section 6.3.

Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
net/ipv6/datagram.c

index b9c2de84a8a212d137e1ba0c17bc1125dd5b288d..0f0f94a40335e7a24a68181f1791d164d49cd3e2 100644 (file)
@@ -705,6 +705,11 @@ int datagram_send_ctl(struct net *net,
                        }
 
                        *hlimit = *(int *)CMSG_DATA(cmsg);
+                       if (*hlimit < -1 || *hlimit > 0xff) {
+                               err = -EINVAL;
+                               goto exit_f;
+                       }
+
                        break;
 
                case IPV6_TCLASS: