IPV6: make ipv6_getsockopt_sticky honor user's buffer size

IPV6: make ipv6_getsockopt_sticky honor user's buffer size

[Chris Wright]

Make sure not to copy_to_user more than user's buffer can handle (we
already checked the min, just use it) in ipv6_getsockopt_sticky.  And
while there, minor whitespace cleanup now that ipv6_getsockopt_sticky
call can nicely fit on one line.

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---

diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 4e0561a..9396551 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -805,7 +805,7 @@ static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt,
 	hdr = opt->hopopt;
 
 	len = min_t(int, len, ipv6_optlen(hdr));
-	if (copy_to_user(optval, hdr, ipv6_optlen(hdr)))
+	if (copy_to_user(optval, hdr, len))
 		return -EFAULT;
 	return len;
 }
@@ -944,8 +944,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
 	{
 
 		lock_sock(sk);
-		len = ipv6_getsockopt_sticky(sk, np->opt,
-					     optval, len);
+		len = ipv6_getsockopt_sticky(sk, np->opt, optval, len);
 		release_sock(sk);
 		return put_user(len, optlen);
 	}

Re: IPV6: make ipv6_getsockopt_sticky honor user's buffer size

[David Miller]

From: Chris Wright <chrisw@sous-sol.org>
Date: Wed, 7 Mar 2007 23:10:48 -0800

> Make sure not to copy_to_user more than user's buffer can handle (we
> already checked the min, just use it) in ipv6_getsockopt_sticky.  And
> while there, minor whitespace cleanup now that ipv6_getsockopt_sticky
> call can nicely fit on one line.
> 
> Signed-off-by: Chris Wright <chrisw@sous-sol.org>

I wonder about this :-)

This gives the user now way to figure out that ipv6_optlen(hdr) is
larger than the len they supplied.

In other situations usually we validate the length and return -EINVAL
if it is too small.

That might be the thing to do in this case too.

Re: IPV6: make ipv6_getsockopt_sticky honor user's buffer size

[YOSHIFUJI Hideaki / 吉藤英明]

In article <20070308.143804.21927824.davem@davemloft.net> (at Thu, 08 Mar 2007 14:38:04 -0800 (PST)), David Miller <davem@davemloft.net> says:

> From: Chris Wright <chrisw@sous-sol.org>
> Date: Wed, 7 Mar 2007 23:10:48 -0800
> 
> > Make sure not to copy_to_user more than user's buffer can handle (we
> > already checked the min, just use it) in ipv6_getsockopt_sticky.  And
> > while there, minor whitespace cleanup now that ipv6_getsockopt_sticky
> > call can nicely fit on one line.
> > 
> > Signed-off-by: Chris Wright <chrisw@sous-sol.org>
> 
> I wonder about this :-)
> 
> This gives the user now way to figure out that ipv6_optlen(hdr) is
> larger than the len they supplied.
> 
> In other situations usually we validate the length and return -EINVAL
> if it is too small.
> 
> That might be the thing to do in this case too.

We should give truncated result and return full length
from the POSIX POV.

--yoshfuji

Re: IPV6: make ipv6_getsockopt_sticky honor user's buffer size

[David Miller]

From: YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org>
Date: Fri, 09 Mar 2007 09:49:32 +0900 (JST)

> We should give truncated result and return full length
> from the POSIX POV.

True, and the user would know what happened because it
knows both the original length it gave and the larger
one the kernel gave as the return value.