[PATCH] ipv6: routing header fixes

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] ipv6: routing header fixes
@ 2008-11-11 22:11 Brian Haley
  2008-11-13  6:59 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Brian Haley @ 2008-11-11 22:11 UTC (permalink / raw)
  To: David Miller; +Cc: netdev@vger.kernel.org, Shan Wei

[-- Attachment #1: Type: text/plain, Size: 410 bytes --]

This patch fixes two bugs:

1. setsockopt() of anything but a Type 2 routing header should return 
EINVAL instead of EPERM.  Noticed by Shan Wei (shanwei@cn.fujitsu.com).

2. setsockopt()/sendmsg() of a Type 2 routing header with invalid length 
or segments should return EINVAL.  These values are statically fixed in 
RFC 3775, unlike the variable Type 0 was.

Signed-off-by: Brian Haley <brian.haley@hp.com>

[-- Attachment #2: rthdr2.patch --]
[-- Type: text/x-diff, Size: 1138 bytes --]

diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 410046a..e44deb8 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -661,6 +661,11 @@ int datagram_send_ctl(struct net *net,
 			switch (rthdr->type) {
 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
 			case IPV6_SRCRT_TYPE_2:
+				if (rthdr->hdrlen != 2 ||
+				    rthdr->segments_left != 1) {
+					err = -EINVAL;
+					goto exit_f;
+				}
 				break;
 #endif
 			default:
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 4e5eac3..2aa294b 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -366,11 +366,16 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
 		}
 
 		/* routing header option needs extra check */
+		retv = -EINVAL;
 		if (optname == IPV6_RTHDR && opt && opt->srcrt) {
 			struct ipv6_rt_hdr *rthdr = opt->srcrt;
 			switch (rthdr->type) {
 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
 			case IPV6_SRCRT_TYPE_2:
+				if (rthdr->hdrlen != 2 ||
+				    rthdr->segments_left != 1)
+					goto sticky_done;
+
 				break;
 #endif
 			default:

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] ipv6: routing header fixes
  2008-11-11 22:11 [PATCH] ipv6: routing header fixes Brian Haley
@ 2008-11-13  6:59 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2008-11-13  6:59 UTC (permalink / raw)
  To: brian.haley; +Cc: netdev, shanwei

From: Brian Haley <brian.haley@hp.com>
Date: Tue, 11 Nov 2008 17:11:43 -0500

> This patch fixes two bugs:
> 
> 1. setsockopt() of anything but a Type 2 routing header should return EINVAL instead of EPERM.  Noticed by Shan Wei (shanwei@cn.fujitsu.com).
> 
> 2. setsockopt()/sendmsg() of a Type 2 routing header with invalid length or segments should return EINVAL.  These values are statically fixed in RFC 3775, unlike the variable Type 0 was.
> 
> Signed-off-by: Brian Haley <brian.haley@hp.com>

Looks good, applied, thanks Brian.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2008-11-13  6:59 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-11 22:11 [PATCH] ipv6: routing header fixes Brian Haley
2008-11-13  6:59 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).