diff options
| author | Sridhar Samudrala <sri@us.ibm.com> | 2006-08-22 14:50:39 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2006-08-22 15:52:23 -0400 |
| commit | c164a9ba0a8870c5c9d353f63085319931d69f23 (patch) | |
| tree | 7e315a50008d0310dd5572a62baef34ddba89988 /net/sctp/sm_statefuns.c | |
| parent | ac185bdc02c216040f3b83f654d864bd8a29cedc (diff) | |
Fix sctp privilege elevation (CVE-2006-3745)
sctp_make_abort_user() now takes the msg_len along with the msg
so that we don't have to recalculate the bytes in iovec.
It also uses memcpy_fromiovec() so that we don't go beyond the
length allocated.
It is good to have this fix even if verify_iovec() is fixed to
return error on overflow.
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'net/sctp/sm_statefuns.c')
| -rw-r--r-- | net/sctp/sm_statefuns.c | 20 |
1 files changed, 4 insertions, 16 deletions
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index ead3f1b0ea3d..5b5ae7958322 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c | |||
| @@ -4031,18 +4031,12 @@ sctp_disposition_t sctp_sf_do_9_1_prm_abort( | |||
| 4031 | * from its upper layer, but retransmits data to the far end | 4031 | * from its upper layer, but retransmits data to the far end |
| 4032 | * if necessary to fill gaps. | 4032 | * if necessary to fill gaps. |
| 4033 | */ | 4033 | */ |
| 4034 | struct msghdr *msg = arg; | 4034 | struct sctp_chunk *abort = arg; |
| 4035 | struct sctp_chunk *abort; | ||
| 4036 | sctp_disposition_t retval; | 4035 | sctp_disposition_t retval; |
| 4037 | 4036 | ||
| 4038 | retval = SCTP_DISPOSITION_CONSUME; | 4037 | retval = SCTP_DISPOSITION_CONSUME; |
| 4039 | 4038 | ||
| 4040 | /* Generate ABORT chunk to send the peer. */ | 4039 | sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); |
| 4041 | abort = sctp_make_abort_user(asoc, NULL, msg); | ||
| 4042 | if (!abort) | ||
| 4043 | retval = SCTP_DISPOSITION_NOMEM; | ||
| 4044 | else | ||
| 4045 | sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); | ||
| 4046 | 4040 | ||
| 4047 | /* Even if we can't send the ABORT due to low memory delete the | 4041 | /* Even if we can't send the ABORT due to low memory delete the |
| 4048 | * TCB. This is a departure from our typical NOMEM handling. | 4042 | * TCB. This is a departure from our typical NOMEM handling. |
| @@ -4166,8 +4160,7 @@ sctp_disposition_t sctp_sf_cookie_wait_prm_abort( | |||
| 4166 | void *arg, | 4160 | void *arg, |
| 4167 | sctp_cmd_seq_t *commands) | 4161 | sctp_cmd_seq_t *commands) |
| 4168 | { | 4162 | { |
| 4169 | struct msghdr *msg = arg; | 4163 | struct sctp_chunk *abort = arg; |
| 4170 | struct sctp_chunk *abort; | ||
| 4171 | sctp_disposition_t retval; | 4164 | sctp_disposition_t retval; |
| 4172 | 4165 | ||
| 4173 | /* Stop T1-init timer */ | 4166 | /* Stop T1-init timer */ |
| @@ -4175,12 +4168,7 @@ sctp_disposition_t sctp_sf_cookie_wait_prm_abort( | |||
| 4175 | SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); | 4168 | SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); |
| 4176 | retval = SCTP_DISPOSITION_CONSUME; | 4169 | retval = SCTP_DISPOSITION_CONSUME; |
| 4177 | 4170 | ||
| 4178 | /* Generate ABORT chunk to send the peer */ | 4171 | sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); |
| 4179 | abort = sctp_make_abort_user(asoc, NULL, msg); | ||
| 4180 | if (!abort) | ||
| 4181 | retval = SCTP_DISPOSITION_NOMEM; | ||
| 4182 | else | ||
| 4183 | sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); | ||
| 4184 | 4172 | ||
| 4185 | sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, | 4173 | sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE, |
| 4186 | SCTP_STATE(SCTP_STATE_CLOSED)); | 4174 | SCTP_STATE(SCTP_STATE_CLOSED)); |