diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2004-12-07 20:49:21 -0800 |
---|---|---|
committer | Linus Torvalds <torvalds@ppc970.osdl.org> | 2004-12-07 20:49:21 -0800 |
commit | 620512af09f33236b4ea04372816b761d48586d9 (patch) | |
tree | 65ac3c63230cdd8063176b9a46183c021fb15d41 /net | |
parent | 4c20da44c2f1228ea6cc805ed9236c03d5fa2a9a (diff) | |
download | history-620512af09f33236b4ea04372816b761d48586d9.tar.gz |
[NET]: Fix CMSG validation checks wrt. signedness.
Noticed by Georgi Guninski.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/core/scm.c | 4 | ||||
-rw-r--r-- | net/ipv4/ip_sockglue.c | 5 | ||||
-rw-r--r-- | net/ipv6/datagram.c | 4 | ||||
-rw-r--r-- | net/sctp/socket.c | 6 |
4 files changed, 4 insertions, 15 deletions
diff --git a/net/core/scm.c b/net/core/scm.c index 3699df388ebe6b..a2ebf30f6aa8c3 100644 --- a/net/core/scm.c +++ b/net/core/scm.c @@ -127,9 +127,7 @@ int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p) for too short ancillary data object at all! Oops. OK, let's add it... */ - if (cmsg->cmsg_len < sizeof(struct cmsghdr) || - (unsigned long)(((char*)cmsg - (char*)msg->msg_control) - + cmsg->cmsg_len) > msg->msg_controllen) + if (!CMSG_OK(msg, cmsg)) goto error; if (cmsg->cmsg_level != SOL_SOCKET) diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 8bb874be141afd..d352252326c18c 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -146,11 +146,8 @@ int ip_cmsg_send(struct msghdr *msg, struct ipcm_cookie *ipc) struct cmsghdr *cmsg; for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) { - if (cmsg->cmsg_len < sizeof(struct cmsghdr) || - (unsigned long)(((char*)cmsg - (char*)msg->msg_control) - + cmsg->cmsg_len) > msg->msg_controllen) { + if (!CMSG_OK(msg, cmsg)) return -EINVAL; - } if (cmsg->cmsg_level != SOL_IP) continue; switch (cmsg->cmsg_type) { diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c index 770284e5e7c98a..b077cd19f5766b 100644 --- a/net/ipv6/datagram.c +++ b/net/ipv6/datagram.c @@ -427,9 +427,7 @@ int datagram_send_ctl(struct msghdr *msg, struct flowi *fl, int addr_type; struct net_device *dev = NULL; - if (cmsg->cmsg_len < sizeof(struct cmsghdr) || - (unsigned long)(((char*)cmsg - (char*)msg->msg_control) - + cmsg->cmsg_len) > msg->msg_controllen) { + if (!CMSG_OK(msg, cmsg)) { err = -EINVAL; goto exit_f; } diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 2686c2dbabd2b6..d9967aaefecf65 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -4098,12 +4098,8 @@ SCTP_STATIC int sctp_msghdr_parse(const struct msghdr *msg, for (cmsg = CMSG_FIRSTHDR(msg); cmsg != NULL; cmsg = CMSG_NXTHDR((struct msghdr*)msg, cmsg)) { - /* Check for minimum length. The SCM code has this check. */ - if (cmsg->cmsg_len < sizeof(struct cmsghdr) || - (unsigned long)(((char*)cmsg - (char*)msg->msg_control) - + cmsg->cmsg_len) > msg->msg_controllen) { + if (!CMSG_OK(msg, cmsg)) return -EINVAL; - } /* Should we parse this header or ignore? */ if (cmsg->cmsg_level != IPPROTO_SCTP) |