sctp: fix the length check in sctp_getsockopt_maxburst()
authorWei Yongjun <yjwei@cn.fujitsu.com>
Mon, 2 Mar 2009 09:46:12 +0000 (09:46 +0000)
committerDavid S. Miller <davem@davemloft.net>
Tue, 3 Mar 2009 06:49:17 +0000 (22:49 -0800)
The code in sctp_getsockopt_maxburst() doesn't allow len to be larger
then struct sctp_assoc_value, which is a common case where app writers
just pass down the sizeof(buf) or something similar.

This patch fix the problem.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sctp/socket.c

index 4bc558c19fcfc84c211c99bc4dff21bc963f9f01..bbd3cd238d7ffca87e34429862f5a2e31d3f952c 100644 (file)
@@ -5286,7 +5286,8 @@ static int sctp_getsockopt_maxburst(struct sock *sk, int len,
                printk(KERN_WARNING
                   "SCTP: Use struct sctp_assoc_value instead\n");
                params.assoc_id = 0;
-       } else if (len == sizeof (struct sctp_assoc_value)) {
+       } else if (len >= sizeof(struct sctp_assoc_value)) {
+               len = sizeof(struct sctp_assoc_value);
                if (copy_from_user(&params, optval, len))
                        return -EFAULT;
        } else