sctp: fix the length check in sctp_getsockopt_maxburst()

The code in sctp_getsockopt_maxburst() doesn't allow len to be larger then struct sctp_assoc_value, which is a common case where app writers just pass down the sizeof(buf) or something similar. This patch fix the problem. Signed-off-by: N Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: N Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

sctp: fix the length check in sctp_getsockopt_maxburst()
The code in sctp_getsockopt_maxburst() doesn't allow len to be larger then struct sctp_assoc_value, which is a common case where app writers just pass down the sizeof(buf) or something similar. This patch fix the problem. Signed-off-by: N Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: N Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
c6db93a5 · Wei Yongjun · David S. Miller · d212318c · c6db93a5
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

net/sctp/socket.c net/sctp/socket.c +2 -1

未找到文件。
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -5286,7 +5286,8 @@ static int sctp_getsockopt_maxburst(struct sock *sk, int len,
 		printk(KERN_WARNING
 		   "SCTP: Use struct sctp_assoc_value instead\n");
 		params.assoc_id = 0;
-	} else if (len == sizeof (struct sctp_assoc_value)) {
+	} else if (len >= sizeof(struct sctp_assoc_value)) {
+		len = sizeof(struct sctp_assoc_value);
 		if (copy_from_user(&params, optval, len))
 			return -EFAULT;
 	} else