diff options
Diffstat (limited to 'net/core/scm.c')
-rw-r--r-- | net/core/scm.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/net/core/scm.c b/net/core/scm.c index c28da7ebb..cdb5f3d03 100644 --- a/net/core/scm.c +++ b/net/core/scm.c @@ -27,7 +27,6 @@ #include <asm/uaccess.h> #include <linux/inet.h> -#include <linux/netdevice.h> #include <net/ip.h> #include <net/protocol.h> #include <net/rarp.h> @@ -123,7 +122,15 @@ int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p) err = -EINVAL; /* Verify that cmsg_len is at least sizeof(struct cmsghdr) */ - if ((unsigned long)(((char*)cmsg - (char*)msg->msg_control) + /* The first check was omitted in <= 2.2.5. The reasoning was + that parser checks cmsg_len in any case, so that + additional check would be work duplication. + But if cmsg_level is not SOL_SOCKET, we do not check + for too short ancillary data object at all! Oops. + OK, let's add it... + */ + if (cmsg->cmsg_len < sizeof(struct cmsghdr) || + (unsigned long)(((char*)cmsg - (char*)msg->msg_control) + cmsg->cmsg_len) > msg->msg_controllen) goto error; |