ipv6: Check the hop limit setting in ancillary data.
Shan Wei [Tue, 10 Jun 2008 07:50:55 +0000 (15:50 +0800)]
When specifing the outgoing hop limit as ancillary data for sendmsg(),
the kernel doesn't check the integer hop limit value as specified in
[RFC-3542] section 6.3.

Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>

net/ipv6/datagram.c

index b9c2de8..0f0f94a 100644 (file)
@@ -705,6 +705,11 @@ int datagram_send_ctl(struct net *net,
                        }
 
                        *hlimit = *(int *)CMSG_DATA(cmsg);
+                       if (*hlimit < -1 || *hlimit > 0xff) {
+                               err = -EINVAL;
+                               goto exit_f;
+                       }
+
                        break;
 
                case IPV6_TCLASS: