git.baikalelectronics.ru Git - kernel.git/commit

sctp: fix copying more bytes than expected in sctp_add_bind_addr

Dmitry reported that sctp_add_bind_addr may read more bytes than
expected in case the parameter is a IPv4 addr supplied by the user
through calls such as sctp_bindx_add(), because it always copies
sizeof(union sctp_addr) while the buffer may be just a struct
sockaddr_in, which is smaller.

This patch then fixes it by limiting the memcpy to the min between the
union size and a (new parameter) provided addr size. Where possible this
parameter still is the size of that union, except for reading from
user-provided buffers, which then it accounts for protocol type.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

author	Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
	Tue, 8 Mar 2016 13:34:28 +0000 (10:34 -0300)
committer	David S. Miller <davem@davemloft.net>
	Tue, 8 Mar 2016 20:04:08 +0000 (15:04 -0500)
commit	7b0b0cadbebb989a1aada5160d468f953b0eb96b
tree	fa156a2753d1c80c12910790cb12ddf6db7da30b	tree \| snapshot
parent	9cbb21f0a0296e4d5ddd427c35ac9a86ec71570f	commit \| diff

include/net/sctp/structs.h		diff \| blob \| history
net/sctp/bind_addr.c		diff \| blob \| history
net/sctp/protocol.c		diff \| blob \| history
net/sctp/sm_make_chunk.c		diff \| blob \| history
net/sctp/socket.c		diff \| blob \| history