IPV6: Handle np->opt being NULL in ipv6_getsockopt_sticky() [CVE-2007-1000]

This fixes http://bugzilla.kernel.org/show_bug.cgi?id=8134 Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
author: David S. Miller <davem@sunset.davemloft.net> 2007-03-07 12:50:46 -0800
committer: Greg Kroah-Hartman <gregkh@suse.de> 2007-03-09 10:50:33 -0800
commit: 4c9ef074b33690981d81ab0107fe2573007083ef (patch)
tree: 7d4d654bc35918cbafe8256ab9878128c38778e2
parent: 3baa43fdc9b64646b468b92936c4842c51b9e2ed (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 352690e2ab8..23db88eb437 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -796,11 +796,15 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname,
 EXPORT_SYMBOL(compat_ipv6_setsockopt);
 #endif
 
-static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_opt_hdr *hdr,
+static int ipv6_getsockopt_sticky(struct sock *sk, struct ipv6_txoptions *opt,
 				  char __user *optval, int len)
 {
-	if (!hdr)
+	struct ipv6_opt_hdr *hdr;
+
+	if (!opt || !opt->hopopt)
 		return 0;
+	hdr = opt->hopopt;
+
 	len = min_t(int, len, ipv6_optlen(hdr));
 	if (copy_to_user(optval, hdr, ipv6_optlen(hdr)))
 		return -EFAULT;
@@ -941,7 +945,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
 	{
 
 		lock_sock(sk);
-		len = ipv6_getsockopt_sticky(sk, np->opt->hopopt,
+		len = ipv6_getsockopt_sticky(sk, np->opt,
 					     optval, len);
 		release_sock(sk);
 		return put_user(len, optlen);
author	David S. Miller <davem@sunset.davemloft.net>	2007-03-07 12:50:46 -0800
committer	Greg Kroah-Hartman <gregkh@suse.de>	2007-03-09 10:50:33 -0800
commit	4c9ef074b33690981d81ab0107fe2573007083ef (patch)
tree	7d4d654bc35918cbafe8256ab9878128c38778e2
parent	3baa43fdc9b64646b468b92936c4842c51b9e2ed (diff)