1 From 286930797d74b2c9a5beae84836044f6a836235f Mon Sep 17 00:00:00 2001
2 From: David S. Miller <davem@sunset.davemloft.net>
3 Date: Wed, 7 Mar 2007 12:50:46 -0800
4 Subject: IPV6: Handle np->opt being NULL in ipv6_getsockopt_sticky() [CVE-2007-1000]
6 This fixes http://bugzilla.kernel.org/show_bug.cgi?id=8134
8 Signed-off-by: David S. Miller <davem@davemloft.net>
9 Signed-off-by: Chris Wright <chrisw@sous-sol.org>
11 net/ipv6/ipv6_sockglue.c | 10 +++++++---
12 1 file changed, 7 insertions(+), 3 deletions(-)
14 --- linux-2.6.20.1.orig/net/ipv6/ipv6_sockglue.c
15 +++ linux-2.6.20.1/net/ipv6/ipv6_sockglue.c
16 @@ -796,11 +796,15 @@ int compat_ipv6_setsockopt(struct sock *
17 EXPORT_SYMBOL(compat_ipv6_setsockopt);
20 -static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_opt_hdr *hdr,
21 +static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt,
22 char __user *optval, int len)
25 + struct ipv6_opt_hdr *hdr;
27 + if (!opt || !opt->hopopt)
31 len = min_t(int, len, ipv6_optlen(hdr));
32 if (copy_to_user(optval, hdr, ipv6_optlen(hdr)))
34 @@ -941,7 +945,7 @@ static int do_ipv6_getsockopt(struct soc
38 - len = ipv6_getsockopt_sticky(sk, np->opt->hopopt,
39 + len = ipv6_getsockopt_sticky(sk, np->opt,
42 return put_user(len, optlen);