[SCTP] bug: sctp_assoc_control_transport() breakage

a) struct sockaddr_storage * passed to sctp_ulpevent_make_peer_addr_change() actually points at union sctp_addr field in a structure. Then that sucker gets copied to userland, with whatever junk we might have there. b) it's actually having host-endian sin_port. Signed-off-by: N Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: N David S. Miller <davem@davemloft.net>

[SCTP] bug: sctp_assoc_control_transport() breakage
a) struct sockaddr_storage * passed to sctp_ulpevent_make_peer_addr_change() actually points at union sctp_addr field in a structure. Then that sucker gets copied to userland, with whatever junk we might have there. b) it's actually having host-endian sin_port. Signed-off-by: N Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: N David S. Miller <davem@davemloft.net>
0906e20f · Al Viro · David S. Miller · d5c747f6 · 0906e20f
隐藏空白更改
内联并排

Showing with 4 addition and 2 deletion

net/sctp/associola.c net/sctp/associola.c +4 -2

未找到文件。
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -709,6 +709,7 @@ void sctp_assoc_control_transport(struct sctp_association *asoc,
 	struct sctp_transport *first;
 	struct sctp_transport *second;
 	struct sctp_ulpevent *event;
+	struct sockaddr_storage addr;
 	struct list_head *pos;
 	int spc_state = 0;

@@ -731,8 +732,9 @@ void sctp_assoc_control_transport(struct sctp_association *asoc,
 	/* Generate and send a SCTP_PEER_ADDR_CHANGE notification to the
 	 * user.
 	 */
-	event = sctp_ulpevent_make_peer_addr_change(asoc,
-				(struct sockaddr_storage *) &transport->ipaddr,
+	memset(&addr, 0, sizeof(struct sockaddr_storage));
+	flip_to_n((union sctp_addr *)&addr, &transport->ipaddr);
+	event = sctp_ulpevent_make_peer_addr_change(asoc, &addr,
 				0, spc_state, error, GFP_ATOMIC);
 	if (event)
 		sctp_ulpq_tail_event(&asoc->ulpq, event);