diff options
author | Dan Rosenberg <drosenberg@vsecurity.com> | 2011-05-06 05:27:18 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2011-05-06 22:05:50 +0200 |
commit | a294865978b701e4d0d90135672749531b9a900d (patch) | |
tree | 4edb7c20db20d81867562fc5cbc0d7c7b5a70df5 /net/dccp | |
parent | can: fix SJA1000 dlc for RTR packets (diff) | |
download | linux-a294865978b701e4d0d90135672749531b9a900d.tar.xz linux-a294865978b701e4d0d90135672749531b9a900d.zip |
dccp: handle invalid feature options length
A length of zero (after subtracting two for the type and len fields) for
the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to
the subtraction. The subsequent code may read past the end of the
options value buffer when parsing. I'm unsure of what the consequences
of this might be, but it's probably not good.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Acked-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/dccp')
-rw-r--r-- | net/dccp/options.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/dccp/options.c b/net/dccp/options.c index f06ffcfc8d71..4b2ab657ac8e 100644 --- a/net/dccp/options.c +++ b/net/dccp/options.c @@ -123,6 +123,8 @@ int dccp_parse_options(struct sock *sk, struct dccp_request_sock *dreq, case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R: if (pkt_type == DCCP_PKT_DATA) /* RFC 4340, 6 */ break; + if (len == 0) + goto out_invalid_option; rc = dccp_feat_parse_options(sk, dreq, mandatory, opt, *value, value + 1, len - 1); if (rc) |