authorArnaldo Carvalho de Melo <acme@redhat.com>2008-08-13 13:48:39 -0700
committerDavid S. Miller <davem@davemloft.net>2008-08-13 13:48:39 -0700
commit3e8a0a559c66ee9e7468195691a56fefc3589740 (patch)
treecc54fecf644c138c38dd29b960c7dc42cbe6b558 /net
parentc1e24df27fb1058739789126db6ad1b1ef719346 (diff)
dccp: change L/R must have at least one byte in the dccpsf_val field
Thanks to Eugene Teo for reporting this problem. Signed-off-by: Eugene Teo <eugenete@kernel.sg> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index b622d9744856..1ca3b26eed0f 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -474,6 +474,11 @@ static int dccp_setsockopt_change(struct sock *sk, int type,
if (copy_from_user(&opt, optval, sizeof(opt)))
return -EFAULT;
+ /*
+ * rfc4340: 6.1. Change Options
+ */
+ if (opt.dccpsf_len < 1)
+ return -EINVAL;
val = kmalloc(opt.dccpsf_len, GFP_KERNEL);
if (!val)

