From: Shan Wei <shanwei@cn.fujitsu.com>
Date: Tue, 10 Jun 2008 07:50:55 +0000 (+0800)
Subject: ipv6: Check the hop limit setting in ancillary data.
X-Git-Tag: v2.6.26-rc7~40^2~5^2~2
X-Git-Url: https://bbs.cooldavid.org/git/?p=net-next-2.6.git;a=commitdiff_plain;h=e8766fc86b34d44a8c55a2f9d71da69e091b1ca4

ipv6: Check the hop limit setting in ancillary data.

When specifing the outgoing hop limit as ancillary data for sendmsg(),
the kernel doesn't check the integer hop limit value as specified in
[RFC-3542] section 6.3.

Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
---

diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index b9c2de84a8a..0f0f94a4033 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -705,6 +705,11 @@ int datagram_send_ctl(struct net *net,
 			}
 
 			*hlimit = *(int *)CMSG_DATA(cmsg);
+			if (*hlimit < -1 || *hlimit > 0xff) {
+				err = -EINVAL;
+				goto exit_f;
+			}
+
 			break;
 
 		case IPV6_TCLASS: