| commit | 28ea23d9847cadc58edf3d10b8c1651f18b8d26b | |
| author | Sridhar Samudrala <sri@us.ibm.com> | |
| Wed, 23 Aug 2006 16:01:55 +0000 (23 18:01 +0200) | ||
| committer | Adrian Bunk <bunk@stusta.de> | |
| Wed, 23 Aug 2006 16:01:55 +0000 (23 18:01 +0200) | ||
| tree | 31ac7bbb39abccec7551722ed1167289463f612d | treesnapshot (tar.gz zip) |
| parent | b9a96aa8fa91f4f3187d141a84f0aeaed2935cbe | commitdiff |
Fix sctp privilege elevation (CVE-2006-3745)
sctp_make_abort_user() now takes the msg_len along with the msg
so that we don't have to recalculate the bytes in iovec.
It also uses memcpy_fromiovec() so that we don't go beyond the
length allocated.
It is good to have this fix even if verify_iovec() is fixed to
return error on overflow.
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
sctp_make_abort_user() now takes the msg_len along with the msg
so that we don't have to recalculate the bytes in iovec.
It also uses memcpy_fromiovec() so that we don't go beyond the
length allocated.
It is good to have this fix even if verify_iovec() is fixed to
return error on overflow.
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>