From patchwork Mon Mar 2 19:46:12 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vlad Yasevich X-Patchwork-Id: 23967 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.176.167]) by ozlabs.org (Postfix) with ESMTP id 4DE1ADDF03 for ; Tue, 3 Mar 2009 06:46:45 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754738AbZCBTqb (ORCPT ); Mon, 2 Mar 2009 14:46:31 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1754473AbZCBTqa (ORCPT ); Mon, 2 Mar 2009 14:46:30 -0500 Received: from g1t0027.austin.hp.com ([15.216.28.34]:34376 "EHLO g1t0027.austin.hp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754259AbZCBTqX (ORCPT ); Mon, 2 Mar 2009 14:46:23 -0500 Received: from smtp2.fc.hp.com (smtp.fc.hp.com [15.11.136.114]) by g1t0027.austin.hp.com (Postfix) with ESMTP id 9FB1B38497; Mon, 2 Mar 2009 19:46:22 +0000 (UTC) Received: from localhost.localdomain (squirrel.fc.hp.com [15.11.146.57]) by smtp2.fc.hp.com (Postfix) with ESMTP id E27B82B5B5C; Mon, 2 Mar 2009 19:24:08 +0000 (UTC) From: Vlad Yasevich To: netdev@vger.kernel.org Cc: davem@davemloft.net, linux-sctp@vger.kernel.org, Wei Yongjun , Vlad Yasevich Subject: [PATCH net-next 3/5] sctp: fix the length check in sctp_getsockopt_maxburst() Date: Mon, 2 Mar 2009 14:46:12 -0500 Message-Id: <1236023174-18314-4-git-send-email-vladislav.yasevich@hp.com> X-Mailer: git-send-email 1.5.4.3 In-Reply-To: <1236023174-18314-3-git-send-email-vladislav.yasevich@hp.com> References: <> <1236023174-18314-1-git-send-email-vladislav.yasevich@hp.com> <1236023174-18314-2-git-send-email-vladislav.yasevich@hp.com> <1236023174-18314-3-git-send-email-vladislav.yasevich@hp.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Wei Yongjun The code in sctp_getsockopt_maxburst() doesn't allow len to be larger then struct sctp_assoc_value, which is a common case where app writers just pass down the sizeof(buf) or something similar. This patch fix the problem. Signed-off-by: Wei Yongjun Signed-off-by: Vlad Yasevich --- net/sctp/socket.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 4bc558c..bbd3cd2 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -5286,7 +5286,8 @@ static int sctp_getsockopt_maxburst(struct sock *sk, int len, printk(KERN_WARNING "SCTP: Use struct sctp_assoc_value instead\n"); params.assoc_id = 0; - } else if (len == sizeof (struct sctp_assoc_value)) { + } else if (len >= sizeof(struct sctp_assoc_value)) { + len = sizeof(struct sctp_assoc_value); if (copy_from_user(¶ms, optval, len)) return -EFAULT; } else