diff -u --recursive --new-file /disk1/davem/PREV_CVS_SNAPSHOT/linux/net/socket.c linux/net/socket.c
--- /disk1/davem/PREV_CVS_SNAPSHOT/linux/net/socket.c Sun Sep 14 04:37:25 1997
+++ linux/net/socket.c Tue Sep 16 22:15:14 1997
@@ -1164,6 +1164,9 @@
err = -ENOBUFS;
goto failed2;
}
+ } else {
+ err = -EINVAL;
+ goto failed2;
}
if (copy_from_user(ctl_buf, msg_sys.msg_control,
msg_sys.msg_controllen)) {
The new 'else' section gets invoked if msg_sys.msg_controllen is
too large, but it *also* gets invoked if msg_sys.msg_controllen is
less than sizeof(ctl). That composite 'if' statement just above this
patch needs to be separated into two 'if' statements to handle all
three cases.
I've attached my quickie patch against plain 2.1.55. I've compiled it
but I haven't tested it.
Michael Chastain
<mailto:mec@shout.net>
"love without fear"
--- linux-2.1.55/net/socket.c Thu Sep 4 20:25:29 1997
+++ linux/net/socket.c Tue Sep 16 20:38:21 1997
@@ -1156,8 +1156,12 @@
* skbuff accounting stops it from going too far.
* I hope this is correct.
*/
- if (msg_sys.msg_controllen > sizeof(ctl) &&
- msg_sys.msg_controllen <= 256)
+ if (msg_sys.msg_controllen > 256)
+ {
+ err = -EINVAL;
+ goto failed2;
+ }
+ if (msg_sys.msg_controllen > sizeof(ctl))
{
ctl_buf = kmalloc(msg_sys.msg_controllen, GFP_KERNEL);
if (ctl_buf == NULL)