Fix sctp privilege elevation (CVE-2006-3745)

sctp_make_abort_user() now takes the msg_len along with the msg so that we don't have to recalculate the bytes in iovec. It also uses memcpy_fromiovec() so that we don't go beyond the length allocated. It is good to have this fix even if verify_iovec() is fixed to return error on overflow. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Sridhar Samudrala <sri@us.ibm.com> 2006-08-22 14:50:39 -0400
committer: Greg Kroah-Hartman <gregkh@suse.de> 2006-08-22 15:52:23 -0400
commit: c164a9ba0a8870c5c9d353f63085319931d69f23 (patch)
tree: 7e315a50008d0310dd5572a62baef34ddba89988 /net/sctp/socket.c
parent: ac185bdc02c216040f3b83f654d864bd8a29cedc (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 54722e622e6d..fde3f55bfd4b 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1520,8 +1520,16 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
                        goto out_unlock;
                }
                if (sinfo_flags & SCTP_ABORT) {
+                        struct sctp_chunk *chunk;
+                        chunk = sctp_make_abort_user(asoc, msg, msg_len);
+                        if (!chunk) {
+                                err = -ENOMEM;
+                                goto out_unlock;
+                        }
                        SCTP_DEBUG_PRINTK("Aborting association: %p\n", asoc);
-                        sctp_primitive_ABORT(asoc, msg);
+                        sctp_primitive_ABORT(asoc, chunk);
                        err = 0;
                        goto out_unlock;
                }
author	Sridhar Samudrala <sri@us.ibm.com>	2006-08-22 14:50:39 -0400
committer	Greg Kroah-Hartman <gregkh@suse.de>	2006-08-22 15:52:23 -0400
commit	c164a9ba0a8870c5c9d353f63085319931d69f23 (patch)
tree	7e315a50008d0310dd5572a62baef34ddba89988 /net/sctp/socket.c
parent	ac185bdc02c216040f3b83f654d864bd8a29cedc (diff)