Fix sctp privilege elevation (CVE-2006-3745)
sctp_make_abort_user() now takes the msg_len along with the msg so that we don't have to recalculate the bytes in iovec. It also uses memcpy_fromiovec() so that we don't go beyond the length allocated. It is good to have this fix even if verify_iovec() is fixed to return error on overflow. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
committed by
Greg Kroah-Hartman
parent
ac185bdc02
commit
c164a9ba0a
@ -404,19 +404,6 @@ static inline int sctp_list_single_entry(struct list_head *head)
|
||||
return ((head->next != head) && (head->next == head->prev));
|
||||
}
|
||||
|
||||
/* Calculate the size (in bytes) occupied by the data of an iovec. */
|
||||
static inline size_t get_user_iov_size(struct iovec *iov, int iovlen)
|
||||
{
|
||||
size_t retval = 0;
|
||||
|
||||
for (; iovlen > 0; --iovlen) {
|
||||
retval += iov->iov_len;
|
||||
iov++;
|
||||
}
|
||||
|
||||
return retval;
|
||||
}
|
||||
|
||||
/* Generate a random jitter in the range of -50% ~ +50% of input RTO. */
|
||||
static inline __s32 sctp_jitter(__u32 rto)
|
||||
{
|
||||
|
Reference in New Issue
Block a user