提交 0906e20f 编写于 作者: A Al Viro 提交者: David S. Miller

[SCTP] bug: sctp_assoc_control_transport() breakage

a) struct sockaddr_storage * passed to sctp_ulpevent_make_peer_addr_change()
actually points at union sctp_addr field in a structure.  Then that sucker
gets copied to userland, with whatever junk we might have there.

b) it's actually having host-endian sin_port.
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 d5c747f6
...@@ -709,6 +709,7 @@ void sctp_assoc_control_transport(struct sctp_association *asoc, ...@@ -709,6 +709,7 @@ void sctp_assoc_control_transport(struct sctp_association *asoc,
struct sctp_transport *first; struct sctp_transport *first;
struct sctp_transport *second; struct sctp_transport *second;
struct sctp_ulpevent *event; struct sctp_ulpevent *event;
struct sockaddr_storage addr;
struct list_head *pos; struct list_head *pos;
int spc_state = 0; int spc_state = 0;
...@@ -731,8 +732,9 @@ void sctp_assoc_control_transport(struct sctp_association *asoc, ...@@ -731,8 +732,9 @@ void sctp_assoc_control_transport(struct sctp_association *asoc,
/* Generate and send a SCTP_PEER_ADDR_CHANGE notification to the /* Generate and send a SCTP_PEER_ADDR_CHANGE notification to the
* user. * user.
*/ */
event = sctp_ulpevent_make_peer_addr_change(asoc, memset(&addr, 0, sizeof(struct sockaddr_storage));
(struct sockaddr_storage *) &transport->ipaddr, flip_to_n((union sctp_addr *)&addr, &transport->ipaddr);
event = sctp_ulpevent_make_peer_addr_change(asoc, &addr,
0, spc_state, error, GFP_ATOMIC); 0, spc_state, error, GFP_ATOMIC);
if (event) if (event)
sctp_ulpq_tail_event(&asoc->ulpq, event); sctp_ulpq_tail_event(&asoc->ulpq, event);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册