releases/2.6.20.2/ipv6-handle-np-opt-being-null-in-ipv6_getsockopt_sticky.patch

   1 From 286930797d74b2c9a5beae84836044f6a836235f Mon Sep 17 00:00:00 2001
   2 From: David S. Miller <davem@sunset.davemloft.net>
   3 Date: Wed, 7 Mar 2007 12:50:46 -0800
   4 Subject: IPV6: Handle np->opt being NULL in ipv6_getsockopt_sticky() [CVE-2007-1000]
   5
   6 This fixes http://bugzilla.kernel.org/show_bug.cgi?id=8134
   7
   8 Signed-off-by: David S. Miller <davem@davemloft.net>
   9 Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  10 ---
  11  net/ipv6/ipv6_sockglue.c |   10 +++++++---
  12  1 file changed, 7 insertions(+), 3 deletions(-)
  13
  14 --- linux-2.6.20.1.orig/net/ipv6/ipv6_sockglue.c
  15 +++ linux-2.6.20.1/net/ipv6/ipv6_sockglue.c
  16 @@ -796,11 +796,15 @@ int compat_ipv6_setsockopt(struct sock *
  17  EXPORT_SYMBOL(compat_ipv6_setsockopt);
  18  #endif
  19
  20 -static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_opt_hdr *hdr,
  21 +static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt,
  22                                   char __user *optval, int len)
  23  {
  24 -       if (!hdr)
  25 +       struct ipv6_opt_hdr *hdr;
  26 +
  27 +       if (!opt || !opt->hopopt)
  28                 return 0;
  29 +       hdr = opt->hopopt;
  30 +
  31         len = min_t(int, len, ipv6_optlen(hdr));
  32         if (copy_to_user(optval, hdr, ipv6_optlen(hdr)))
  33                 return -EFAULT;
  34 @@ -941,7 +945,7 @@ static int do_ipv6_getsockopt(struct soc
  35         {
  36
  37                 lock_sock(sk);
  38 -               len = ipv6_getsockopt_sticky(sk, np->opt->hopopt,
  39 +               len = ipv6_getsockopt_sticky(sk, np->opt,
  40                                              optval, len);
  41                 release_sock(sk);
  42                 return put_user(len, optlen);