Bug 522225

Summary: do_ip_setsockopt doesn't copy the full ip_mreq for IP_MULTICAST_IF.
Product: Red Hat Enterprise Linux 5 Reporter: Marc Milgram <mmilgram>
Component: kernelAssignee: Danny Feng <dfeng>
Status: CLOSED NOTABUG QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.3   
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-18 02:10:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Marc Milgram 2009-09-09 19:42:27 UTC
Description of problem:
do_ip_setsockopt doesn't copy the full ip_mreq for IP_MULTICAST_IF.

Version-Release number of selected component (if applicable):
kernel-2.6.18-128

How reproducible:
Unknown.  Visible in code inspection.

Steps to Reproduce:
1. Call setsockopt() for IP_MULTICAST_IF with an ip_mreq for the argument.
2. View the results (in kernel data structures)
  
Actual results:
Only one in_addr is copied

Expected results:
Entire ip_mreq is copied

Additional info:

Comment 2 Marc Milgram 2009-09-09 20:05:04 UTC
Here is a manually created diff that illustrates how this could be fixed:

			if (optlen >= sizeof(struct ip_mreqn)) {
				if (copy_from_user(&mreq,optval,sizeof(mreq)))
					break;
+			} else if (optlen >= sizeof(struct ip_mreq)) {
+			memset(&mreq, 0, sizeof(mreq));
+				if (copy_from_user(&mreq,optval,sizeof(struct ip_mreq)))
+					break;
			} else {
				memset(&mreq, 0, sizeof(mreq));
				if (optlen >= sizeof(struct in_addr) &&
				    copy_from_user(&mreq.imr_address,optval,sizeof(struct in_addr)))
					break;
			}