ipv6: Disallow rediculious flowlabel option sizes.

(backported from 2.6 commit 684de409acff8b1fe8bf188d75ff2f99c624387d) Just like PKTINFO, limit the options area to 64K. Based upon report by Eric Sesterhenn and analysis by Roland Dreier. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Willy Tarreau <w@1wt.eu>
author: David S. Miller <davem@davemloft.net> 2009-02-06 00:49:55 -0800
committer: Willy Tarreau <w@1wt.eu> 2009-06-07 21:36:48 +0200
commit: ab66e48b6ce77d564b6bb71d4e393264a98f186c (patch)
tree: 0d87dbdf14e5c6e1daf8642d85aa9097678c0f13
parent: d5c575f0c0b56eb020c6501a71706d8f26dd9669 (diff)
download: linux-2.4-ab66e48b6ce77d564b6bb71d4e393264a98f186c.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index fc5f1b877e9b7b..a15629c7bfd602 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -274,18 +274,22 @@ static int fl6_renew(struct ip6_flowlabel *fl, unsigned linger, unsigned expires
 static struct ip6_flowlabel *
 fl_create(struct in6_flowlabel_req *freq, char *optval, int optlen, int *err_p)
 {
-	struct ip6_flowlabel *fl;
+	struct ip6_flowlabel *fl = NULL;
 	int olen;
 	int addr_type;
 	int err;
 
+	olen = optlen - CMSG_ALIGN(sizeof(*freq));
+	err = -EINVAL;
+	if (olen > 64 * 1024)
+		goto done;
+
 	err = -ENOMEM;
 	fl = kmalloc(sizeof(*fl), GFP_KERNEL);
 	if (fl == NULL)
 		goto done;
 	memset(fl, 0, sizeof(*fl));
 
-	olen = optlen - CMSG_ALIGN(sizeof(*freq));
 	if (olen > 0) {
 		struct msghdr msg;
 		struct flowi flowi;
author	David S. Miller <davem@davemloft.net>	2009-02-06 00:49:55 -0800
committer	Willy Tarreau <w@1wt.eu>	2009-06-07 21:36:48 +0200
commit	ab66e48b6ce77d564b6bb71d4e393264a98f186c (patch)
tree	0d87dbdf14e5c6e1daf8642d85aa9097678c0f13
parent	d5c575f0c0b56eb020c6501a71706d8f26dd9669 (diff)
download	linux-2.4-ab66e48b6ce77d564b6bb71d4e393264a98f186c.tar.gz