diff options
| author |   Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> | 2016-03-08 10:34:28 -0300 |
|---|---|---|
| committer |   David S. Miller <davem@davemloft.net> | 2016-03-08 15:04:08 -0500 |
| commit | 133800d1f0288b9ddfc0d0aded10d9efa82d5b8c (patch) | |
| tree | fa156a2753d1c80c12910790cb12ddf6db7da30b /net/sctp/sm_make_chunk.c | |
| parent | Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net (diff) | |
| download | linux-dev-133800d1f0288b9ddfc0d0aded10d9efa82d5b8c.tar.xz linux-dev-133800d1f0288b9ddfc0d0aded10d9efa82d5b8c.zip | |
sctp: fix copying more bytes than expected in sctp_add_bind_addr
Dmitry reported that sctp_add_bind_addr may read more bytes than
expected in case the parameter is a IPv4 addr supplied by the user
through calls such as sctp_bindx_add(), because it always copies
sizeof(union sctp_addr) while the buffer may be just a struct
sockaddr_in, which is smaller.
This patch then fixes it by limiting the memcpy to the min between the
union size and a (new parameter) provided addr size. Where possible this
parameter still is the size of that union, except for reading from
user-provided buffers, which then it accounts for protocol type.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sctp/sm_make_chunk.c')
| -rw-r--r-- | net/sctp/sm_make_chunk.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index 5d6a03fad378..7fe971e30ad6 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c @@ -1830,7 +1830,8 @@ no_hmac: /* Also, add the destination address. */ if (list_empty(&retval->base.bind_addr.address_list)) { sctp_add_bind_addr(&retval->base.bind_addr, &chunk->dest, - SCTP_ADDR_SRC, GFP_ATOMIC); + sizeof(chunk->dest), SCTP_ADDR_SRC, + GFP_ATOMIC); } retval->next_tsn = retval->c.initial_tsn; |