diff options
| author | Sridhar Samudrala <sri@us.ibm.com> | 2006-08-22 14:50:39 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2006-08-22 15:52:23 -0400 |
| commit | c164a9ba0a8870c5c9d353f63085319931d69f23 (patch) | |
| tree | 7e315a50008d0310dd5572a62baef34ddba89988 /net/sctp/sm_make_chunk.c | |
| parent | ac185bdc02c216040f3b83f654d864bd8a29cedc (diff) | |
Fix sctp privilege elevation (CVE-2006-3745)
sctp_make_abort_user() now takes the msg_len along with the msg
so that we don't have to recalculate the bytes in iovec.
It also uses memcpy_fromiovec() so that we don't go beyond the
length allocated.
It is good to have this fix even if verify_iovec() is fixed to
return error on overflow.
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'net/sctp/sm_make_chunk.c')
| -rw-r--r-- | net/sctp/sm_make_chunk.c | 30 |
1 files changed, 9 insertions, 21 deletions
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index 4f11f5858209..17b509282cf2 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c | |||
| @@ -806,38 +806,26 @@ no_mem: | |||
| 806 | 806 | ||
| 807 | /* Helper to create ABORT with a SCTP_ERROR_USER_ABORT error. */ | 807 | /* Helper to create ABORT with a SCTP_ERROR_USER_ABORT error. */ |
| 808 | struct sctp_chunk *sctp_make_abort_user(const struct sctp_association *asoc, | 808 | struct sctp_chunk *sctp_make_abort_user(const struct sctp_association *asoc, |
| 809 | const struct sctp_chunk *chunk, | 809 | const struct msghdr *msg, |
| 810 | const struct msghdr *msg) | 810 | size_t paylen) |
| 811 | { | 811 | { |
| 812 | struct sctp_chunk *retval; | 812 | struct sctp_chunk *retval; |
| 813 | void *payload = NULL, *payoff; | 813 | void *payload = NULL; |
| 814 | size_t paylen = 0; | 814 | int err; |
| 815 | struct iovec *iov = NULL; | ||
| 816 | int iovlen = 0; | ||
| 817 | |||
| 818 | if (msg) { | ||
| 819 | iov = msg->msg_iov; | ||
| 820 | iovlen = msg->msg_iovlen; | ||
| 821 | paylen = get_user_iov_size(iov, iovlen); | ||
| 822 | } | ||
| 823 | 815 | ||
| 824 | retval = sctp_make_abort(asoc, chunk, sizeof(sctp_errhdr_t) + paylen); | 816 | retval = sctp_make_abort(asoc, NULL, sizeof(sctp_errhdr_t) + paylen); |
| 825 | if (!retval) | 817 | if (!retval) |
| 826 | goto err_chunk; | 818 | goto err_chunk; |
| 827 | 819 | ||
| 828 | if (paylen) { | 820 | if (paylen) { |
| 829 | /* Put the msg_iov together into payload. */ | 821 | /* Put the msg_iov together into payload. */ |
| 830 | payload = kmalloc(paylen, GFP_ATOMIC); | 822 | payload = kmalloc(paylen, GFP_KERNEL); |
| 831 | if (!payload) | 823 | if (!payload) |
| 832 | goto err_payload; | 824 | goto err_payload; |
| 833 | payoff = payload; | ||
| 834 | 825 | ||
| 835 | for (; iovlen > 0; --iovlen) { | 826 | err = memcpy_fromiovec(payload, msg->msg_iov, paylen); |
| 836 | if (copy_from_user(payoff, iov->iov_base,iov->iov_len)) | 827 | if (err < 0) |
| 837 | goto err_copy; | 828 | goto err_copy; |
| 838 | payoff += iov->iov_len; | ||
| 839 | iov++; | ||
| 840 | } | ||
| 841 | } | 829 | } |
| 842 | 830 | ||
| 843 | sctp_init_cause(retval, SCTP_ERROR_USER_ABORT, payload, paylen); | 831 | sctp_init_cause(retval, SCTP_ERROR_USER_ABORT, payload, paylen); |