Fix sctp privilege elevation (CVE-2006-3745) sctp_make_abort_user() now takes the msg_len along with the msg so that we don't have to recalculate the bytes in iovec. It also uses memcpy_fromiovec() so that we don't go beyond the length allocated. It is good to have this fix even if verify_iovec() is fixed to return error on overflow. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

commit: c164a9ba0a8870c5c9d353f63085319931d69f23 [log] [tgz]
author: Sridhar Samudrala <sri@us.ibm.com> Tue Aug 22 11:50:39 2006 -0700
committer: Greg Kroah-Hartman <gregkh@suse.de> Tue Aug 22 12:52:23 2006 -0700
tree: 7e315a50008d0310dd5572a62baef34ddba89988
parent: ac185bdc02c216040f3b83f654d864bd8a29cedc [diff] [blame]
diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
index 1eac3d0..de313de 100644
--- a/include/net/sctp/sm.h
+++ b/include/net/sctp/sm.h

@@ -221,8 +221,7 @@
 				      const struct sctp_chunk *,
 				      __u32 tsn);
 struct sctp_chunk *sctp_make_abort_user(const struct sctp_association *,
-				   const struct sctp_chunk *,
-				   const struct msghdr *);
+					const struct msghdr *, size_t msg_len);
 struct sctp_chunk *sctp_make_abort_violation(const struct sctp_association *,
 				   const struct sctp_chunk *,
 				   const __u8 *,
commit	c164a9ba0a8870c5c9d353f63085319931d69f23	[log] [tgz]
author	Sridhar Samudrala <sri@us.ibm.com>	Tue Aug 22 11:50:39 2006 -0700
committer	Greg Kroah-Hartman <gregkh@suse.de>	Tue Aug 22 12:52:23 2006 -0700
tree	7e315a50008d0310dd5572a62baef34ddba89988
parent	ac185bdc02c216040f3b83f654d864bd8a29cedc [diff] [blame]