summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorShan Wei <shanwei@cn.fujitsu.com>2008-06-10 15:50:55 +0800
committerYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>2008-06-12 09:19:08 +0900
commite8766fc86b34d44a8c55a2f9d71da69e091b1ca4 (patch)
treec96952c8a6250c48036adcf51c6ef0bcc8d8c770
parent36e3deae8ba84865fd9eb3f2f21bbc00d49b7544 (diff)
downloadlinux-e8766fc86b34d44a8c55a2f9d71da69e091b1ca4.tar.gz
linux-e8766fc86b34d44a8c55a2f9d71da69e091b1ca4.tar.bz2
linux-e8766fc86b34d44a8c55a2f9d71da69e091b1ca4.zip
ipv6: Check the hop limit setting in ancillary data.
When specifing the outgoing hop limit as ancillary data for sendmsg(), the kernel doesn't check the integer hop limit value as specified in [RFC-3542] section 6.3. Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
-rw-r--r--net/ipv6/datagram.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index b9c2de84a8a2..0f0f94a40335 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -705,6 +705,11 @@ int datagram_send_ctl(struct net *net,
}
*hlimit = *(int *)CMSG_DATA(cmsg);
+ if (*hlimit < -1 || *hlimit > 0xff) {
+ err = -EINVAL;
+ goto exit_f;
+ }
+
break;
case IPV6_TCLASS: