aboutsummaryrefslogtreecommitdiffstats
path: root/include/net/sctp
diff options
context:
space:
mode:
authorSridhar Samudrala <sri@us.ibm.com>2006-08-22 14:50:39 -0400
committerGreg Kroah-Hartman <gregkh@suse.de>2006-08-22 15:52:23 -0400
commitc164a9ba0a8870c5c9d353f63085319931d69f23 (patch)
tree7e315a50008d0310dd5572a62baef34ddba89988 /include/net/sctp
parentac185bdc02c216040f3b83f654d864bd8a29cedc (diff)
Fix sctp privilege elevation (CVE-2006-3745)
sctp_make_abort_user() now takes the msg_len along with the msg so that we don't have to recalculate the bytes in iovec. It also uses memcpy_fromiovec() so that we don't go beyond the length allocated. It is good to have this fix even if verify_iovec() is fixed to return error on overflow. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'include/net/sctp')
-rw-r--r--include/net/sctp/sctp.h13
-rw-r--r--include/net/sctp/sm.h3
2 files changed, 1 insertions, 15 deletions
diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
index a9663b49ea54..92eae0e0f3f1 100644
--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -404,19 +404,6 @@ static inline int sctp_list_single_entry(struct list_head *head)
404 return ((head->next != head) && (head->next == head->prev)); 404 return ((head->next != head) && (head->next == head->prev));
405} 405}
406 406
407/* Calculate the size (in bytes) occupied by the data of an iovec. */
408static inline size_t get_user_iov_size(struct iovec *iov, int iovlen)
409{
410 size_t retval = 0;
411
412 for (; iovlen > 0; --iovlen) {
413 retval += iov->iov_len;
414 iov++;
415 }
416
417 return retval;
418}
419
420/* Generate a random jitter in the range of -50% ~ +50% of input RTO. */ 407/* Generate a random jitter in the range of -50% ~ +50% of input RTO. */
421static inline __s32 sctp_jitter(__u32 rto) 408static inline __s32 sctp_jitter(__u32 rto)
422{ 409{
diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
index 1eac3d0eb7a9..de313de4fefe 100644
--- a/include/net/sctp/sm.h
+++ b/include/net/sctp/sm.h
@@ -221,8 +221,7 @@ struct sctp_chunk *sctp_make_abort_no_data(const struct sctp_association *,
221 const struct sctp_chunk *, 221 const struct sctp_chunk *,
222 __u32 tsn); 222 __u32 tsn);
223struct sctp_chunk *sctp_make_abort_user(const struct sctp_association *, 223struct sctp_chunk *sctp_make_abort_user(const struct sctp_association *,
224 const struct sctp_chunk *, 224 const struct msghdr *, size_t msg_len);
225 const struct msghdr *);
226struct sctp_chunk *sctp_make_abort_violation(const struct sctp_association *, 225struct sctp_chunk *sctp_make_abort_violation(const struct sctp_association *,
227 const struct sctp_chunk *, 226 const struct sctp_chunk *,
228 const __u8 *, 227 const __u8 *,