ipv6: Disallow rediculious flowlabel option sizes.

Just like PKTINFO, limit the options area to 64K.

Based upon report by Eric Sesterhenn and analysis by
Roland Dreier.

Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index c62dd24..7712578 100644 (file)
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -323,17 +323,21 @@ static struct ip6_flowlabel *
 fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval,
          int optlen, int *err_p)
 {
-       struct ip6_flowlabel *fl;
+       struct ip6_flowlabel *fl = NULL;
        int olen;
        int addr_type;
        int err;
 
+       olen = optlen - CMSG_ALIGN(sizeof(*freq));
+       err = -EINVAL;
+       if (olen > 64 * 1024)
+               goto done;
+
        err = -ENOMEM;
        fl = kzalloc(sizeof(*fl), GFP_KERNEL);
        if (fl == NULL)
                goto done;
 
-       olen = optlen - CMSG_ALIGN(sizeof(*freq));
        if (olen > 0) {
                struct msghdr msg;
                struct flowi flowi;