[FEISTY] CVE-2007-1730: [PATCH] DCCP: Fix exploitable hole in DCCP socket options

[Phillip lougher]

>From 8d5c5ad485c30a96ab078df2f71b4da207b58c67 Mon Sep 17 00:00:00 2001
From: Arnaldo Carvalho de Melo <acme at ghostprotocols.net>
Date: Thu, 29 Mar 2007 11:57:36 -0700
Subject: [PATCH] DCCP: Fix exploitable hole in DCCP socket options (CVE-2007-1730)

[DCCP] getsockopt: Fix DCCP_SOCKOPT_[SEND,RECV]_CSCOV

We were only checking if there was enough space to put the int, but
left len as specified by the (malicious) user, sigh, fix it by setting
len to sizeof(val) and transfering just one int worth of data, the one
asked for.

Also check for negative len values.

Signed-off-by: Arnaldo Carvalho de Melo <acme at ghostprotocols.net>
Signed-off-by: David S. Miller <davem at davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
 net/dccp/proto.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index 63b3fa2..88ed359 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -575,7 +575,7 @@ static int do_dccp_getsockopt(struct sock *sk, int level, int optname,
 	if (get_user(len, optlen))
 		return -EFAULT;
 
-	if (len < sizeof(int))
+	if (len < (int)sizeof(int))
 		return -EINVAL;
 
 	dp = dccp_sk(sk);
@@ -589,9 +589,11 @@ static int do_dccp_getsockopt(struct sock *sk, int level, int optname,
 					       (__be32 __user *)optval, optlen);
 	case DCCP_SOCKOPT_SEND_CSCOV:
 		val = dp->dccps_pcslen;
+		len = sizeof(val);
 		break;
 	case DCCP_SOCKOPT_RECV_CSCOV:
 		val = dp->dccps_pcrlen;
+		len = sizeof(val);
 		break;
 	case 128 ... 191:
 		return ccid_hc_rx_getsockopt(dp->dccps_hc_rx_ccid, sk, optname,
-- 
1.4.4.2