[IPV6] ADDRCONF: Check payload length for IFA_LOCAL attribute in RTM_{ADD,DEL}MSG...

author YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>

Fri, 28 Jul 2006 09:12:09 +0000 (18:12 +0900)

committer David S. Miller <davem@sunset.davemloft.net>

Wed, 2 Aug 2006 20:38:08 +0000 (13:38 -0700)
author YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Fri, 28 Jul 2006 09:12:09 +0000 (18:12 +0900)
committer David S. Miller <davem@sunset.davemloft.net>
Wed, 2 Aug 2006 20:38:08 +0000 (13:38 -0700)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c

index 2316a43..81702b9 100644 (file)
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -2853,7 +2853,8 @@ inet6_rtm_deladdr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
                 pfx = RTA_DATA(rta[IFA_ADDRESS-1]);
         }
         if (rta[IFA_LOCAL-1]) {
-               if (pfx && memcmp(pfx, RTA_DATA(rta[IFA_LOCAL-1]), sizeof(*pfx)))
+               if (RTA_PAYLOAD(rta[IFA_LOCAL-1]) < sizeof(*pfx) ||
+                   (pfx && memcmp(pfx, RTA_DATA(rta[IFA_LOCAL-1]), sizeof(*pfx))))
                         return -EINVAL;
                 pfx = RTA_DATA(rta[IFA_LOCAL-1]);
         }
@@ -2877,7 +2878,8 @@ inet6_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
                 pfx = RTA_DATA(rta[IFA_ADDRESS-1]);
         }
         if (rta[IFA_LOCAL-1]) {
-               if (pfx && memcmp(pfx, RTA_DATA(rta[IFA_LOCAL-1]), sizeof(*pfx)))
+               if (RTA_PAYLOAD(rta[IFA_LOCAL-1]) < sizeof(*pfx) ||
+                   (pfx && memcmp(pfx, RTA_DATA(rta[IFA_LOCAL-1]), sizeof(*pfx))))
                         return -EINVAL;
                 pfx = RTA_DATA(rta[IFA_LOCAL-1]);
         }
author	YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
	Fri, 28 Jul 2006 09:12:09 +0000 (18:12 +0900)
committer	David S. Miller <davem@sunset.davemloft.net>
	Wed, 2 Aug 2006 20:38:08 +0000 (13:38 -0700)