Merge branch 'net-2.6-misc-20080611a' of git://git.linux-ipv6.org/gitroot/yoshfuji/linux-2.6-fix

David S. Miller
2 parents 5cb960a805 1717699cd5
Showing 3 changed files Side-by-side Diff
net/ipv6/datagram.c
net/ipv6/ipv6_sockglue.c
net/ipv6/route.c
@@ -705,6 +705,11 @@
 			}
  
 			*hlimit = *(int *)CMSG_DATA(cmsg);
+			if (*hlimit < -1 || *hlimit > 0xff) {
+				err = -EINVAL;
+				goto exit_f;
+			}
+
 			break;
  
 		case IPV6_TCLASS:
@@ -67,7 +67,7 @@
  
 	/* RA packet may be delivered ONLY to IPPROTO_RAW socket */
 	if (sk->sk_type != SOCK_RAW || inet_sk(sk)->num != IPPROTO_RAW)
-		return -EINVAL;
+		return -ENOPROTOOPT;
  
 	new_ra = (sel>=0) ? kmalloc(sizeof(*new_ra), GFP_KERNEL) : NULL;
  
@@ -446,7 +446,7 @@
  
 	case IPV6_MULTICAST_HOPS:
 		if (sk->sk_type == SOCK_STREAM)
-			goto e_inval;
+			break;
 		if (optlen < sizeof(int))
 			goto e_inval;
 		if (val > 255 || val < -1)
  
@@ -458,13 +458,15 @@
 	case IPV6_MULTICAST_LOOP:
 		if (optlen < sizeof(int))
 			goto e_inval;
+		if (val != valbool)
+			goto e_inval;
 		np->mc_loop = valbool;
 		retv = 0;
 		break;
  
 	case IPV6_MULTICAST_IF:
 		if (sk->sk_type == SOCK_STREAM)
-			goto e_inval;
+			break;
 		if (optlen < sizeof(int))
 			goto e_inval;
  
@@ -860,7 +862,7 @@
 		if (sk->sk_protocol != IPPROTO_UDP &&
 		    sk->sk_protocol != IPPROTO_UDPLITE &&
 		    sk->sk_protocol != IPPROTO_TCP)
-			return -EINVAL;
+			return -ENOPROTOOPT;
 		if (sk->sk_state != TCP_ESTABLISHED)
 			return -ENOTCONN;
 		val = sk->sk_family;
@@ -874,6 +876,8 @@
 			return -EINVAL;
 		if (copy_from_user(&gsf, optval, GROUP_FILTER_SIZE(0)))
 			return -EFAULT;
+		if (gsf.gf_group.ss_family != AF_INET6)
+			return -EADDRNOTAVAIL;
 		lock_sock(sk);
 		err = ip6_mc_msfget(sk, &gsf,
 			(struct group_filter __user *)optval, optlen);
@@ -2196,8 +2196,12 @@
  
 	NLA_PUT_U32(skb, RTA_PRIORITY, rt->rt6i_metric);
  
-	expires = (rt->rt6i_flags & RTF_EXPIRES) ?
-			rt->rt6i_expires - jiffies : 0;
+	if (!(rt->rt6i_flags & RTF_EXPIRES))
+		expires = 0;
+	else if (rt->rt6i_expires - jiffies < INT_MAX)
+		expires = rt->rt6i_expires - jiffies;
+	else
+		expires = INT_MAX;
  
 	if (rtnl_put_cacheinfo(skb, &rt->u.dst, 0, 0, 0,
 			       expires, rt->u.dst.error) < 0)
...	...	@@ -705,6 +705,11 @@
705	705	}
706	706
707	707	hlimit = (int *)CMSG_DATA(cmsg);
	708	+ if (hlimit < -1 \|\| hlimit > 0xff) {
	709	+ err = -EINVAL;
	710	+ goto exit_f;
	711	+ }
	712	+
708	713	break;
709	714
710	715	case IPV6_TCLASS:
...	...	@@ -67,7 +67,7 @@
67	67
68	68	/* RA packet may be delivered ONLY to IPPROTO_RAW socket */
69	69	if (sk->sk_type != SOCK_RAW \|\| inet_sk(sk)->num != IPPROTO_RAW)
70		- return -EINVAL;
	70	+ return -ENOPROTOOPT;
71	71
72	72	new_ra = (sel>=0) ? kmalloc(sizeof(*new_ra), GFP_KERNEL) : NULL;
73	73
...	...	@@ -446,7 +446,7 @@
446	446
447	447	case IPV6_MULTICAST_HOPS:
448	448	if (sk->sk_type == SOCK_STREAM)
449		- goto e_inval;
	449	+ break;
450	450	if (optlen < sizeof(int))
451	451	goto e_inval;
452	452	if (val > 255 \|\| val < -1)
453	453
...	...	@@ -458,13 +458,15 @@
458	458	case IPV6_MULTICAST_LOOP:
459	459	if (optlen < sizeof(int))
460	460	goto e_inval;
	461	+ if (val != valbool)
	462	+ goto e_inval;
461	463	np->mc_loop = valbool;
462	464	retv = 0;
463	465	break;
464	466
465	467	case IPV6_MULTICAST_IF:
466	468	if (sk->sk_type == SOCK_STREAM)
467		- goto e_inval;
	469	+ break;
468	470	if (optlen < sizeof(int))
469	471	goto e_inval;
470	472
...	...	@@ -860,7 +862,7 @@
860	862	if (sk->sk_protocol != IPPROTO_UDP &&
861	863	sk->sk_protocol != IPPROTO_UDPLITE &&
862	864	sk->sk_protocol != IPPROTO_TCP)
863		- return -EINVAL;
	865	+ return -ENOPROTOOPT;
864	866	if (sk->sk_state != TCP_ESTABLISHED)
865	867	return -ENOTCONN;
866	868	val = sk->sk_family;
...	...	@@ -874,6 +876,8 @@
874	876	return -EINVAL;
875	877	if (copy_from_user(&gsf, optval, GROUP_FILTER_SIZE(0)))
876	878	return -EFAULT;
	879	+ if (gsf.gf_group.ss_family != AF_INET6)
	880	+ return -EADDRNOTAVAIL;
877	881	lock_sock(sk);
878	882	err = ip6_mc_msfget(sk, &gsf,
879	883	(struct group_filter __user *)optval, optlen);
...	...	@@ -2196,8 +2196,12 @@
2196	2196
2197	2197	NLA_PUT_U32(skb, RTA_PRIORITY, rt->rt6i_metric);
2198	2198
2199		- expires = (rt->rt6i_flags & RTF_EXPIRES) ?
2200		- rt->rt6i_expires - jiffies : 0;
	2199	+ if (!(rt->rt6i_flags & RTF_EXPIRES))
	2200	+ expires = 0;
	2201	+ else if (rt->rt6i_expires - jiffies < INT_MAX)
	2202	+ expires = rt->rt6i_expires - jiffies;
	2203	+ else
	2204	+ expires = INT_MAX;
2201	2205
2202	2206	if (rtnl_put_cacheinfo(skb, &rt->u.dst, 0, 0, 0,
2203	2207	expires, rt->u.dst.error) < 0)