Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c6db93a5 authored by Wei Yongjun's avatar Wei Yongjun Committed by David S. Miller
Browse files

sctp: fix the length check in sctp_getsockopt_maxburst() 



The code in sctp_getsockopt_maxburst() doesn't allow len to be larger
then struct sctp_assoc_value, which is a common case where app writers
just pass down the sizeof(buf) or something similar.

This patch fix the problem.

Signed-off-by: default avatarWei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent d212318c

net/sctp/socket.c

+2 −1
Original line number Diff line number Diff line
@@ -5286,7 +5286,8 @@ static int sctp_getsockopt_maxburst(struct sock *sk, int len, 
		printk(KERN_WARNING

		   "SCTP: Use struct sctp_assoc_value instead\n");

		params.assoc_id = 0;

	} else if (len == sizeof (struct sctp_assoc_value)) {

	} else if (len >= sizeof(struct sctp_assoc_value)) {

		len = sizeof(struct sctp_assoc_value);

		if (copy_from_user(&params, optval, len))

			return -EFAULT;

	} else