Bug 522225 - do_ip_setsockopt doesn't copy the full ip_mreq for IP_MULTICAST_IF.
Summary: do_ip_setsockopt doesn't copy the full ip_mreq for IP_MULTICAST_IF.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Danny Feng
QA Contact: Red Hat Kernel QE team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-09-09 19:42 UTC by Marc Milgram
Modified: 2009-09-18 13:01 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-18 02:10:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Marc Milgram 2009-09-09 19:42:27 UTC 
Description of problem:
do_ip_setsockopt doesn't copy the full ip_mreq for IP_MULTICAST_IF.

Version-Release number of selected component (if applicable):
kernel-2.6.18-128

How reproducible:
Unknown.  Visible in code inspection.

Steps to Reproduce:
1. Call setsockopt() for IP_MULTICAST_IF with an ip_mreq for the argument.
2. View the results (in kernel data structures)
  
Actual results:
Only one in_addr is copied

Expected results:
Entire ip_mreq is copied

Additional info:
Comment 2 Marc Milgram 2009-09-09 20:05:04 UTC 
Here is a manually created diff that illustrates how this could be fixed:

			if (optlen >= sizeof(struct ip_mreqn)) {
				if (copy_from_user(&mreq,optval,sizeof(mreq)))
					break;
+			} else if (optlen >= sizeof(struct ip_mreq)) {
+			memset(&mreq, 0, sizeof(mreq));
+				if (copy_from_user(&mreq,optval,sizeof(struct ip_mreq)))
+					break;
			} else {
				memset(&mreq, 0, sizeof(mreq));
				if (optlen >= sizeof(struct in_addr) &&
				    copy_from_user(&mreq.imr_address,optval,sizeof(struct in_addr)))
					break;
			}
Note You need to log in before you can comment on or make changes to this bug.