From: Wei Yongjun Date: Mon, 2 Mar 2009 09:46:12 +0000 (+0000) Subject: sctp: fix the length check in sctp_getsockopt_maxburst() X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=c6db93a58f1745cfe1acc2e1a1d68afc3245eced;p=openwrt%2Fstaging%2Fblogic.git sctp: fix the length check in sctp_getsockopt_maxburst() The code in sctp_getsockopt_maxburst() doesn't allow len to be larger then struct sctp_assoc_value, which is a common case where app writers just pass down the sizeof(buf) or something similar. This patch fix the problem. Signed-off-by: Wei Yongjun Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller --- diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 4bc558c19fcf..bbd3cd238d7f 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -5286,7 +5286,8 @@ static int sctp_getsockopt_maxburst(struct sock *sk, int len, printk(KERN_WARNING "SCTP: Use struct sctp_assoc_value instead\n"); params.assoc_id = 0; - } else if (len == sizeof (struct sctp_assoc_value)) { + } else if (len >= sizeof(struct sctp_assoc_value)) { + len = sizeof(struct sctp_assoc_value); if (copy_from_user(¶ms, optval, len)) return -EFAULT; } else