summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan Rosenberg <drosenberg@vsecurity.com>2011-05-06 03:27:18 +0000
committerPaul Gortmaker <paul.gortmaker@windriver.com>2012-03-14 10:57:54 -0400
commit5c6997e05926b59b5f7067077b7da41d5be99de3 (patch)
tree5c3b826e4579f0809b056ff0a4867e66ed599b5f
parenta97b66db08803e16a8ae05f9f13736878045130c (diff)
downloadlwn-5c6997e05926b59b5f7067077b7da41d5be99de3.tar.gz
lwn-5c6997e05926b59b5f7067077b7da41d5be99de3.zip
dccp: handle invalid feature options length
commit a294865978b701e4d0d90135672749531b9a900d upstream. A length of zero (after subtracting two for the type and len fields) for the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to the subtraction. The subsequent code may read past the end of the options value buffer when parsing. I'm unsure of what the consequences of this might be, but it's probably not good. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Acked-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
-rw-r--r--net/dccp/options.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/net/dccp/options.c b/net/dccp/options.c
index 1b08cae9c65b..b4a853ea0ed9 100644
--- a/net/dccp/options.c
+++ b/net/dccp/options.c
@@ -131,6 +131,8 @@ int dccp_parse_options(struct sock *sk, struct dccp_request_sock *dreq,
case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R:
if (pkt_type == DCCP_PKT_DATA) /* RFC 4340, 6 */
break;
+ if (len == 0)
+ goto out_invalid_option;
rc = dccp_feat_parse_options(sk, dreq, mandatory, opt,
*value, value + 1, len - 1);
if (rc)