summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChris Wright <chrisw@sous-sol.org>2007-03-10 01:19:17 +0100
committerDavid S. Miller <davem@davemloft.net>2007-03-10 01:19:17 +0100
commitd2b02ed9487ed25832d19534575052e43f8e0c4f (patch)
tree292944e3306f4209dde7ffc18e36fc3d6e3fd8d7
parent[IPV6]: Fix for ipv6_setsockopt NULL dereference (diff)
downloadlinux-d2b02ed9487ed25832d19534575052e43f8e0c4f.tar.xz
linux-d2b02ed9487ed25832d19534575052e43f8e0c4f.zip
[IPV6] fix ipv6_getsockopt_sticky copy_to_user leak
User supplied len < 0 can cause leak of kernel memory. Use unsigned compare instead. Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv6/ipv6_sockglue.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index b82333b9228f..f5f9582a8d39 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -804,7 +804,7 @@ static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt,
return 0;
hdr = opt->hopopt;
- len = min_t(int, len, ipv6_optlen(hdr));
+ len = min_t(unsigned int, len, ipv6_optlen(hdr));
if (copy_to_user(optval, hdr, ipv6_optlen(hdr)))
return -EFAULT;
return len;