Skip to content

Commit

Permalink
sctp: fix the length check in sctp_getsockopt_maxburst()
Browse files Browse the repository at this point in the history 
The code in sctp_getsockopt_maxburst() doesn't allow len to be larger
then struct sctp_assoc_value, which is a common case where app writers
just pass down the sizeof(buf) or something similar.

This patch fix the problem.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Wei Yongjun authored and David S. Miller committed Mar 3, 2009
1 parent d212318 commit c6db93a
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion net/sctp/socket.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5286,7 +5286,8 @@ static int sctp_getsockopt_maxburst(struct sock *sk, int len,
printk(KERN_WARNING
"SCTP: Use struct sctp_assoc_value instead\n");
params.assoc_id = 0;
} else if (len == sizeof (struct sctp_assoc_value)) {
} else if (len >= sizeof(struct sctp_assoc_value)) {
len = sizeof(struct sctp_assoc_value);
if (copy_from_user(&params, optval, len))
return -EFAULT;
} else
Expand Down

0 comments on commit c6db93a

Please sign in to comment.