[SCTP]: Incorrect length was used in SCTP_*_AUTH_CHUNKS socket option (b40db684) · Commits · e / devices / android_kernel_teracube_2e

net/sctp/socket.c

+8 −4

Original line number	Diff line number	Diff line
		@@ -5070,6 +5070,7 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
		struct sctp_authchunks val;
		struct sctp_association *asoc;
		struct sctp_chunks_param *ch;
		u32 num_chunks;
		char __user *to;

		if (len <= sizeof(struct sctp_authchunks))
		@@ -5086,10 +5087,11 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
		ch = asoc->peer.peer_chunks;

		/* See if the user provided enough room for all the data */
		if (len < ntohs(ch->param_hdr.length))
		num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
		if (len < num_chunks)
		return -EINVAL;

		len = ntohs(ch->param_hdr.length);
		len = num_chunks;
		if (put_user(len, optlen))
		return -EFAULT;
		if (copy_to_user(to, ch->chunks, len))
		@@ -5105,6 +5107,7 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len,
		struct sctp_authchunks val;
		struct sctp_association *asoc;
		struct sctp_chunks_param *ch;
		u32 num_chunks;
		char __user *to;

		if (len <= sizeof(struct sctp_authchunks))
		@@ -5123,10 +5126,11 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len,
		else
		ch = sctp_sk(sk)->ep->auth_chunk_list;

		if (len < ntohs(ch->param_hdr.length))
		num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
		if (len < num_chunks)
		return -EINVAL;

		len = ntohs(ch->param_hdr.length);
		len = num_chunks;
		if (put_user(len, optlen))
		return -EFAULT;
		if (copy_to_user(to, ch->chunks, len))