From db7d4daea91e105e3859cf461d7e53b9b77454b2 Mon Sep 17 00:00:00 2001
From: Ralf Baechle <ralf@linux-mips.org>
Date: Sun, 13 Jun 1999 16:29:25 +0000
Subject: Merge with Linux 2.2.8.

---
 net/core/scm.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'net/core/scm.c')

diff --git a/net/core/scm.c b/net/core/scm.c
index c28da7ebb..cdb5f3d03 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -27,7 +27,6 @@
 #include <asm/uaccess.h>
 
 #include <linux/inet.h>
-#include <linux/netdevice.h>
 #include <net/ip.h>
 #include <net/protocol.h>
 #include <net/rarp.h>
@@ -123,7 +122,15 @@ int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
 		err = -EINVAL;
 
 		/* Verify that cmsg_len is at least sizeof(struct cmsghdr) */
-		if ((unsigned long)(((char*)cmsg - (char*)msg->msg_control)
+		/* The first check was omitted in <= 2.2.5. The reasoning was
+		   that parser checks cmsg_len in any case, so that
+		   additional check would be work duplication.
+		   But if cmsg_level is not SOL_SOCKET, we do not check 
+		   for too short ancillary data object at all! Oops.
+		   OK, let's add it...
+		 */
+		if (cmsg->cmsg_len < sizeof(struct cmsghdr) ||
+		    (unsigned long)(((char*)cmsg - (char*)msg->msg_control)
 				    + cmsg->cmsg_len) > msg->msg_controllen)
 			goto error;
 
-- 
cgit v1.2.3