aboutsummaryrefslogtreecommitdiffstats
path: root/include/net/sctp/sm.h
diff options
context:
space:
mode:
authorSridhar Samudrala <sri@us.ibm.com>2006-08-22 11:50:39 -0700
committerGreg Kroah-Hartman <gregkh@suse.de>2006-08-22 12:52:23 -0700
commitc164a9ba0a8870c5c9d353f63085319931d69f23 (patch)
tree7e315a50008d0310dd5572a62baef34ddba89988 /include/net/sctp/sm.h
parentac185bdc02c216040f3b83f654d864bd8a29cedc (diff)
downloadkernel_samsung_aries-c164a9ba0a8870c5c9d353f63085319931d69f23.zip
kernel_samsung_aries-c164a9ba0a8870c5c9d353f63085319931d69f23.tar.gz
kernel_samsung_aries-c164a9ba0a8870c5c9d353f63085319931d69f23.tar.bz2
Fix sctp privilege elevation (CVE-2006-3745)
sctp_make_abort_user() now takes the msg_len along with the msg so that we don't have to recalculate the bytes in iovec. It also uses memcpy_fromiovec() so that we don't go beyond the length allocated. It is good to have this fix even if verify_iovec() is fixed to return error on overflow. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'include/net/sctp/sm.h')
-rw-r--r--include/net/sctp/sm.h3
1 files changed, 1 insertions, 2 deletions
diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
index 1eac3d0..de313de 100644
--- a/include/net/sctp/sm.h
+++ b/include/net/sctp/sm.h
@@ -221,8 +221,7 @@ struct sctp_chunk *sctp_make_abort_no_data(const struct sctp_association *,
const struct sctp_chunk *,
__u32 tsn);
struct sctp_chunk *sctp_make_abort_user(const struct sctp_association *,
- const struct sctp_chunk *,
- const struct msghdr *);
+ const struct msghdr *, size_t msg_len);
struct sctp_chunk *sctp_make_abort_violation(const struct sctp_association *,
const struct sctp_chunk *,
const __u8 *,