Fix sctp privilege elevation (CVE-2006-3745)

sctp_make_abort_user() now takes the msg_len along with the msg so that we don't have to recalculate the bytes in iovec. It also uses memcpy_fromiovec() so that we don't go beyond the length allocated. It is good to have this fix even if verify_iovec() is fixed to return error on overflow. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Sridhar Samudrala <sri@us.ibm.com> 2006-08-22 14:50:39 -0400
committer: Greg Kroah-Hartman <gregkh@suse.de> 2006-08-22 15:52:23 -0400
commit: c164a9ba0a8870c5c9d353f63085319931d69f23 (patch)
tree: 7e315a50008d0310dd5572a62baef34ddba89988 /include/net/sctp/sctp.h
parent: ac185bdc02c216040f3b83f654d864bd8a29cedc (diff)
1 files changed, 0 insertions, 13 deletions
diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
index a9663b49ea54..92eae0e0f3f1 100644
--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -404,19 +404,6 @@ static inline int sctp_list_single_entry(struct list_head *head)
        return ((head->next != head) && (head->next == head->prev));
 }
-/* Calculate the size (in bytes) occupied by the data of an iovec.  */
-static inline size_t get_user_iov_size(struct iovec *iov, int iovlen)
-{
-        size_t retval = 0;
-        for (; iovlen > 0; --iovlen) {
-                retval += iov->iov_len;
-                iov++;
-        }
-        return retval;
-}
 /* Generate a random jitter in the range of -50% ~ +50% of input RTO. */
 static inline __s32 sctp_jitter(__u32 rto)
 {
author	Sridhar Samudrala <sri@us.ibm.com>	2006-08-22 14:50:39 -0400
committer	Greg Kroah-Hartman <gregkh@suse.de>	2006-08-22 15:52:23 -0400
commit	c164a9ba0a8870c5c9d353f63085319931d69f23 (patch)
tree	7e315a50008d0310dd5572a62baef34ddba89988 /include/net/sctp/sctp.h
parent	ac185bdc02c216040f3b83f654d864bd8a29cedc (diff)

diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h index a9663b49ea54..92eae0e0f3f1 100644 --- a/include/net/sctp/sctp.h +++ b/include/net/sctp/sctp.h
@@ -404,19 +404,6 @@ static inline int sctp_list_single_entry(struct list_head *head)
404	return ((head->next != head) && (head->next == head->prev));	404	return ((head->next != head) && (head->next == head->prev));
405	}	405	}
406		406
407	/* Calculate the size (in bytes) occupied by the data of an iovec. */
408	static inline size_t get_user_iov_size(struct iovec *iov, int iovlen)
409	{
410	size_t retval = 0;
411
412	for (; iovlen > 0; --iovlen) {
413	retval += iov->iov_len;
414	iov++;
415	}
416
417	return retval;
418	}
419
420	/* Generate a random jitter in the range of -50% ~ +50% of input RTO. */	407	/* Generate a random jitter in the range of -50% ~ +50% of input RTO. */
421	static inline __s32 sctp_jitter(__u32 rto)	408	static inline __s32 sctp_jitter(__u32 rto)
422	{	409	{