summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'tags/2.6.18-11/30071_dccp-feature-length-check.patch')
-rw-r--r--tags/2.6.18-11/30071_dccp-feature-length-check.patch15
1 files changed, 15 insertions, 0 deletions
diff --git a/tags/2.6.18-11/30071_dccp-feature-length-check.patch b/tags/2.6.18-11/30071_dccp-feature-length-check.patch
new file mode 100644
index 0000000..9ceb18c
--- /dev/null
+++ b/tags/2.6.18-11/30071_dccp-feature-length-check.patch
@@ -0,0 +1,15 @@
+diff -urpN linux-source-2.6.18.orig/net/dccp/feat.c linux-source-2.6.18/net/dccp/feat.c
+--- linux-source-2.6.18.orig/net/dccp/feat.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/dccp/feat.c 2008-06-05 19:57:08.000000000 -0600
+@@ -25,6 +25,11 @@ int dccp_feat_change(struct dccp_minisoc
+
+ dccp_pr_debug("feat change type=%d feat=%d\n", type, feature);
+
++ if (len > 3) {
++ if (net_ratelimit())
++ printk("%s: invalid length %d\n", __func__, len);
++ return -EINVAL;
++ }
+ /* XXX sanity check feat change request */
+
+ /* check if that feature is already being negotiated */