Skip to content

Commit

Permalink
ipv6: raw: check passed optlen before reading
Browse files Browse the repository at this point in the history 
Add a check that the user-provided option is at least as long as the
number of bytes we intend to read. Before this patch we would blindly
read sizeof(int) bytes even in cases where the user passed
optlen<sizeof(int), which would potentially read garbage or fault.

Discovered by new tests in https://github.com/google/gvisor/pull/6957 .

The original get_user call predates history in the git repo.

Signed-off-by: Tamir Duberstein <tamird@gmail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/r/20211229200947.2862255-1-willemdebruijn.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
  • Loading branch information
Tamir Duberstein authored and Jakub Kicinski committed Dec 29, 2021
1 parent 5bec7ca commit fb7bc92
Showing 1 changed file with 3 additions and 0 deletions.
3 changes: 3 additions & 0 deletions net/ipv6/raw.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1020,6 +1020,9 @@ static int do_rawv6_setsockopt(struct sock *sk, int level, int optname,
struct raw6_sock *rp = raw6_sk(sk);
int val;

if (optlen < sizeof(val))
return -EINVAL;

if (copy_from_sockptr(&val, optval, sizeof(val)))
return -EFAULT;

Expand Down

0 comments on commit fb7bc92

Please sign in to comment.