sctp: fix the length check in sctp_getsockopt_maxburst() The code in sctp_getsockopt_maxburst() doesn't allow len to be larger then struct sctp_assoc_value, which is a common case where app writers just pass down the sizeof(buf) or something similar. This patch fix the problem. Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: c6db93a58f1745cfe1acc2e1a1d68afc3245eced [log] [tgz]
author: Wei Yongjun <yjwei@cn.fujitsu.com> Mon Mar 02 09:46:12 2009 +0000
committer: David S. Miller <davem@davemloft.net> Mon Mar 02 22:49:17 2009 -0800
tree: b4e88d10bc75fa6565d91202460fb3f0ed5cc7c5
parent: d212318c9d1b11ff44b57f90b4f9d9c9b31a6ced [diff] [blame]
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 4bc558c..bbd3cd2 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c

@@ -5286,7 +5286,8 @@
 		printk(KERN_WARNING
 		   "SCTP: Use struct sctp_assoc_value instead\n");
 		params.assoc_id = 0;
-	} else if (len == sizeof (struct sctp_assoc_value)) {
+	} else if (len >= sizeof(struct sctp_assoc_value)) {
+		len = sizeof(struct sctp_assoc_value);
 		if (copy_from_user(&params, optval, len))
 			return -EFAULT;
 	} else
commit	c6db93a58f1745cfe1acc2e1a1d68afc3245eced	[log] [tgz]
author	Wei Yongjun <yjwei@cn.fujitsu.com>	Mon Mar 02 09:46:12 2009 +0000
committer	David S. Miller <davem@davemloft.net>	Mon Mar 02 22:49:17 2009 -0800
tree	b4e88d10bc75fa6565d91202460fb3f0ed5cc7c5
parent	d212318c9d1b11ff44b57f90b4f9d9c9b31a6ced [diff] [blame]