From: Arnaldo Carvalho de Melo <acme@redhat.com>
Date: Wed, 13 Aug 2008 20:48:39 +0000 (-0700)
Subject: dccp: change L/R must have at least one byte in the dccpsf_val field
X-Git-Tag: v2.6.25.16~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ab332c1c4bcdd94cb1d2eb6778e38b4b640f918a;p=thirdparty%2Fkernel%2Fstable.git

dccp: change L/R must have at least one byte in the dccpsf_val field

commit 3e8a0a559c66ee9e7468195691a56fefc3589740 upstream

Thanks to Eugene Teo for reporting this problem.

Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index c91d3c1fd30d4..c3e3acb2a158a 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -477,6 +477,11 @@ static int dccp_setsockopt_change(struct sock *sk, int type,
 
 	if (copy_from_user(&opt, optval, sizeof(opt)))
 		return -EFAULT;
+	/*
+	 * rfc4340: 6.1. Change Options
+	 */
+	if (opt.dccpsf_len < 1)
+		return -EINVAL;
 
 	val = kmalloc(opt.dccpsf_len, GFP_KERNEL);
 	if (!val)