diff options
| author |   Sridhar Samudrala <sri@us.ibm.com> | 2006-08-22 11:50:39 -0700 |
|---|---|---|
| committer |   Greg Kroah-Hartman <gregkh@suse.de> | 2006-08-22 12:52:23 -0700 |
| commit | c164a9ba0a8870c5c9d353f63085319931d69f23 (patch) | |
| tree | 7e315a50008d0310dd5572a62baef34ddba89988 /include/net/sctp/sctp.h | |
| parent | Merge gregkh@master.kernel.org:/home/rmk/linux-2.6-arm (diff) | |
| download | linux-dev-c164a9ba0a8870c5c9d353f63085319931d69f23.tar.xz linux-dev-c164a9ba0a8870c5c9d353f63085319931d69f23.zip | |
Fix sctp privilege elevation (CVE-2006-3745)
sctp_make_abort_user() now takes the msg_len along with the msg
so that we don't have to recalculate the bytes in iovec.
It also uses memcpy_fromiovec() so that we don't go beyond the
length allocated.
It is good to have this fix even if verify_iovec() is fixed to
return error on overflow.
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'include/net/sctp/sctp.h')
| -rw-r--r-- | include/net/sctp/sctp.h | 13 |
1 files changed, 0 insertions, 13 deletions
diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h index a9663b49ea54..92eae0e0f3f1 100644 --- a/include/net/sctp/sctp.h +++ b/include/net/sctp/sctp.h @@ -404,19 +404,6 @@ static inline int sctp_list_single_entry(struct list_head *head) return ((head->next != head) && (head->next == head->prev)); } -/* Calculate the size (in bytes) occupied by the data of an iovec. */ -static inline size_t get_user_iov_size(struct iovec *iov, int iovlen) -{ - size_t retval = 0; - - for (; iovlen > 0; --iovlen) { - retval += iov->iov_len; - iov++; - } - - return retval; -} - /* Generate a random jitter in the range of -50% ~ +50% of input RTO. */ static inline __s32 sctp_jitter(__u32 rto) { |