seg6: fix seg6_validate_srh() to avoid slab-out-of-bounds

[sfrench/cifs-2.6.git] / net / ipv6 / ipv6_sockglue.c

diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index adbfed6adf11cfa1fbfcaa0a188d31d51be1ecf9..20576e87a5f7e87b99d6fbd5370771738b3a52e0 100644 (file)
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -218,14 +218,15 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
                                        retv = -EBUSY;
                                        break;
                                }
-                       }
-                       if (sk->sk_protocol == IPPROTO_TCP &&
-                           sk->sk_prot != &tcpv6_prot) {
-                               retv = -EBUSY;
+                       } else if (sk->sk_protocol == IPPROTO_TCP) {
+                               if (sk->sk_prot != &tcpv6_prot) {
+                                       retv = -EBUSY;
+                                       break;
+                               }
+                       } else {
                                break;
                        }
-                       if (sk->sk_protocol != IPPROTO_TCP)
-                               break;
+
                        if (sk->sk_state != TCP_ESTABLISHED) {
                                retv = -ENOTCONN;
                                break;
@@ -492,7 +493,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
                                struct ipv6_sr_hdr *srh = (struct ipv6_sr_hdr *)
                                                          opt->srcrt;
 
-                               if (!seg6_validate_srh(srh, optlen))
+                               if (!seg6_validate_srh(srh, optlen, false))
                                        goto sticky_done;
                                break;
                        }