diff options
| author | Sridhar Samudrala <sri@us.ibm.com> | 2006-08-22 14:50:39 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2006-08-22 15:52:23 -0400 |
| commit | c164a9ba0a8870c5c9d353f63085319931d69f23 (patch) | |
| tree | 7e315a50008d0310dd5572a62baef34ddba89988 /include/net | |
| parent | ac185bdc02c216040f3b83f654d864bd8a29cedc (diff) | |
Fix sctp privilege elevation (CVE-2006-3745)
sctp_make_abort_user() now takes the msg_len along with the msg
so that we don't have to recalculate the bytes in iovec.
It also uses memcpy_fromiovec() so that we don't go beyond the
length allocated.
It is good to have this fix even if verify_iovec() is fixed to
return error on overflow.
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'include/net')
| -rw-r--r-- | include/net/sctp/sctp.h | 13 | ||||
| -rw-r--r-- | include/net/sctp/sm.h | 3 |
2 files changed, 1 insertions, 15 deletions
diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h index a9663b49ea54..92eae0e0f3f1 100644 --- a/include/net/sctp/sctp.h +++ b/include/net/sctp/sctp.h | |||
| @@ -404,19 +404,6 @@ static inline int sctp_list_single_entry(struct list_head *head) | |||
| 404 | return ((head->next != head) && (head->next == head->prev)); | 404 | return ((head->next != head) && (head->next == head->prev)); |
| 405 | } | 405 | } |
| 406 | 406 | ||
| 407 | /* Calculate the size (in bytes) occupied by the data of an iovec. */ | ||
| 408 | static inline size_t get_user_iov_size(struct iovec *iov, int iovlen) | ||
| 409 | { | ||
| 410 | size_t retval = 0; | ||
| 411 | |||
| 412 | for (; iovlen > 0; --iovlen) { | ||
| 413 | retval += iov->iov_len; | ||
| 414 | iov++; | ||
| 415 | } | ||
| 416 | |||
| 417 | return retval; | ||
| 418 | } | ||
| 419 | |||
| 420 | /* Generate a random jitter in the range of -50% ~ +50% of input RTO. */ | 407 | /* Generate a random jitter in the range of -50% ~ +50% of input RTO. */ |
| 421 | static inline __s32 sctp_jitter(__u32 rto) | 408 | static inline __s32 sctp_jitter(__u32 rto) |
| 422 | { | 409 | { |
diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h index 1eac3d0eb7a9..de313de4fefe 100644 --- a/include/net/sctp/sm.h +++ b/include/net/sctp/sm.h | |||
| @@ -221,8 +221,7 @@ struct sctp_chunk *sctp_make_abort_no_data(const struct sctp_association *, | |||
| 221 | const struct sctp_chunk *, | 221 | const struct sctp_chunk *, |
| 222 | __u32 tsn); | 222 | __u32 tsn); |
| 223 | struct sctp_chunk *sctp_make_abort_user(const struct sctp_association *, | 223 | struct sctp_chunk *sctp_make_abort_user(const struct sctp_association *, |
| 224 | const struct sctp_chunk *, | 224 | const struct msghdr *, size_t msg_len); |
| 225 | const struct msghdr *); | ||
| 226 | struct sctp_chunk *sctp_make_abort_violation(const struct sctp_association *, | 225 | struct sctp_chunk *sctp_make_abort_violation(const struct sctp_association *, |
| 227 | const struct sctp_chunk *, | 226 | const struct sctp_chunk *, |
| 228 | const __u8 *, | 227 | const __u8 *, |