From: Al Viro Date: Tue, 21 Nov 2006 01:03:01 +0000 (-0800) Subject: [SCTP] bug: sctp_assoc_control_transport() breakage X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=0906e20fa03afdb14faf7fd166bfe4ed67c8db55;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git [SCTP] bug: sctp_assoc_control_transport() breakage a) struct sockaddr_storage * passed to sctp_ulpevent_make_peer_addr_change() actually points at union sctp_addr field in a structure. Then that sucker gets copied to userland, with whatever junk we might have there. b) it's actually having host-endian sin_port. Signed-off-by: Al Viro Signed-off-by: David S. Miller --- diff --git a/net/sctp/associola.c b/net/sctp/associola.c index 7639044b0074..746b0b0f5ace 100644 --- a/net/sctp/associola.c +++ b/net/sctp/associola.c @@ -709,6 +709,7 @@ void sctp_assoc_control_transport(struct sctp_association *asoc, struct sctp_transport *first; struct sctp_transport *second; struct sctp_ulpevent *event; + struct sockaddr_storage addr; struct list_head *pos; int spc_state = 0; @@ -731,8 +732,9 @@ void sctp_assoc_control_transport(struct sctp_association *asoc, /* Generate and send a SCTP_PEER_ADDR_CHANGE notification to the * user. */ - event = sctp_ulpevent_make_peer_addr_change(asoc, - (struct sockaddr_storage *) &transport->ipaddr, + memset(&addr, 0, sizeof(struct sockaddr_storage)); + flip_to_n((union sctp_addr *)&addr, &transport->ipaddr); + event = sctp_ulpevent_make_peer_addr_change(asoc, &addr, 0, spc_state, error, GFP_ATOMIC); if (event) sctp_ulpq_tail_event(&asoc->ulpq, event);