IPV6: Handle np->opt being NULL in ipv6_getsockopt_sticky() [CVE-2007-1000]

author David S. Miller <davem@sunset.davemloft.net>

Wed, 7 Mar 2007 20:50:46 +0000 (12:50 -0800)

committer Greg Kroah-Hartman <gregkh@suse.de>

Fri, 9 Mar 2007 18:50:33 +0000 (10:50 -0800)
author David S. Miller <davem@sunset.davemloft.net>
Wed, 7 Mar 2007 20:50:46 +0000 (12:50 -0800)
committer Greg Kroah-Hartman <gregkh@suse.de>
Fri, 9 Mar 2007 18:50:33 +0000 (10:50 -0800)
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c

index 352690e2ab8280ec89019697cca70d48ada6e48c..23db88eb437bf37aba649c13b7f6c160cbe243ba 100644 (file)
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -796,11 +796,15 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname,
  EXPORT_SYMBOL(compat_ipv6_setsockopt);
  #endif
  
-static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_opt_hdr *hdr,
+static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt,
                                   char __user *optval, int len)
  {
-       if (!hdr)
+       struct ipv6_opt_hdr *hdr;
+
+       if (!opt || !opt->hopopt)
                 return 0;
+       hdr = opt->hopopt;
+
         len = min_t(int, len, ipv6_optlen(hdr));
         if (copy_to_user(optval, hdr, ipv6_optlen(hdr)))
                 return -EFAULT;
@@ -941,7 +945,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
         {
  
                 lock_sock(sk);
-               len = ipv6_getsockopt_sticky(sk, np->opt->hopopt,
+               len = ipv6_getsockopt_sticky(sk, np->opt,
                                              optval, len);
                 release_sock(sk);
                 return put_user(len, optlen);
author	David S. Miller <davem@sunset.davemloft.net>
	Wed, 7 Mar 2007 20:50:46 +0000 (12:50 -0800)
committer	Greg Kroah-Hartman <gregkh@suse.de>
	Fri, 9 Mar 2007 18:50:33 +0000 (10:50 -0800)