diff mbox

sctp: check len in sctp_getsockopt_assoc_stats()

Message ID 20130227204144.GA11300@longonot.mountain
State Not Applicable, archived
Delegated to: David Miller
Headers show

Commit Message

Dan Carpenter Feb. 27, 2013, 8:41 p.m. UTC 
This check is missing an upper bound.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This should go in 3.8 -stable as well.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

David Miller Feb. 27, 2013, 8:45 p.m. UTC | #1 
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 27 Feb 2013 23:41:44 +0300

> This check is missing an upper bound.
> 
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> This should go in 3.8 -stable as well.

There is a discussion and patch on netdev already.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index c99458d..fbd8386 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -5652,6 +5652,8 @@  static int sctp_getsockopt_assoc_stats(struct sock *sk, int len,
 	/* User must provide at least the assoc id */
 	if (len < sizeof(sctp_assoc_t))
 		return -EINVAL;
+	if (len > sizeof(struct sctp_assoc_stats))
+		len = sizeof(struct sctp_assoc_stats);
 
 	if (copy_from_user(&sas, optval, len))
 		return -EFAULT;