diff options
| author | Wei Yongjun <yjwei@cn.fujitsu.com> | 2009-03-02 04:46:12 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2009-03-03 01:49:17 -0500 |
| commit | c6db93a58f1745cfe1acc2e1a1d68afc3245eced (patch) | |
| tree | b4e88d10bc75fa6565d91202460fb3f0ed5cc7c5 /net | |
| parent | d212318c9d1b11ff44b57f90b4f9d9c9b31a6ced (diff) | |
sctp: fix the length check in sctp_getsockopt_maxburst()
The code in sctp_getsockopt_maxburst() doesn't allow len to be larger
then struct sctp_assoc_value, which is a common case where app writers
just pass down the sizeof(buf) or something similar.
This patch fix the problem.
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/sctp/socket.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 4bc558c19fcf..bbd3cd238d7f 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c | |||
| @@ -5286,7 +5286,8 @@ static int sctp_getsockopt_maxburst(struct sock *sk, int len, | |||
| 5286 | printk(KERN_WARNING | 5286 | printk(KERN_WARNING |
| 5287 | "SCTP: Use struct sctp_assoc_value instead\n"); | 5287 | "SCTP: Use struct sctp_assoc_value instead\n"); |
| 5288 | params.assoc_id = 0; | 5288 | params.assoc_id = 0; |
| 5289 | } else if (len == sizeof (struct sctp_assoc_value)) { | 5289 | } else if (len >= sizeof(struct sctp_assoc_value)) { |
| 5290 | len = sizeof(struct sctp_assoc_value); | ||
| 5290 | if (copy_from_user(¶ms, optval, len)) | 5291 | if (copy_from_user(¶ms, optval, len)) |
| 5291 | return -EFAULT; | 5292 | return -EFAULT; |
| 5292 | } else | 5293 | } else |