Skip to content

Commit 99253eb

Browse files
lxindavem330
authored andcommitted
ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt
Commit 5e1859f ("ipv4: ipmr: various fixes and cleanups") fixed the issue for ipv4 ipmr: ip_mroute_setsockopt() & ip_mroute_getsockopt() should not access/set raw_sk(sk)->ipmr_table before making sure the socket is a raw socket, and protocol is IGMP The same fix should be done for ipv6 ipmr as well. This patch can fix the panic caused by overwriting the same offset as ipmr_table as in raw_sk(sk) when accessing other type's socket by ip_mroute_setsockopt(). Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 2e3ce5b commit 99253eb

File tree

1 file changed

+8
-3
lines changed

1 file changed

+8
-3
lines changed

Diff for: net/ipv6/ip6mr.c

+8-3
Original file line numberDiff line numberDiff line change
@@ -1666,6 +1666,10 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
16661666
struct net *net = sock_net(sk);
16671667
struct mr6_table *mrt;
16681668

1669+
if (sk->sk_type != SOCK_RAW ||
1670+
inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
1671+
return -EOPNOTSUPP;
1672+
16691673
mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
16701674
if (!mrt)
16711675
return -ENOENT;
@@ -1677,9 +1681,6 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
16771681

16781682
switch (optname) {
16791683
case MRT6_INIT:
1680-
if (sk->sk_type != SOCK_RAW ||
1681-
inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
1682-
return -EOPNOTSUPP;
16831684
if (optlen < sizeof(int))
16841685
return -EINVAL;
16851686

@@ -1815,6 +1816,10 @@ int ip6_mroute_getsockopt(struct sock *sk, int optname, char __user *optval,
18151816
struct net *net = sock_net(sk);
18161817
struct mr6_table *mrt;
18171818

1819+
if (sk->sk_type != SOCK_RAW ||
1820+
inet_sk(sk)->inet_num != IPPROTO_ICMPV6)
1821+
return -EOPNOTSUPP;
1822+
18181823
mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
18191824
if (!mrt)
18201825
return -ENOENT;

0 commit comments

Comments
 (0)