sctp: Fix kernel panic while process protocol violation parameter Since call to function sctp_sf_abort_violation() need paramter 'arg' with 'struct sctp_chunk' type, it will read the chunk type and chunk length from the chunk_hdr member of chunk. But call to sctp_sf_violation_paramlen() always with 'struct sctp_paramhdr' type's parameter, it will be passed to sctp_sf_abort_violation(). This may cause kernel panic. sctp_sf_violation_paramlen() |-- sctp_sf_abort_violation() |-- sctp_make_abort_violation() This patch fixed this problem. This patch also fix two place which called sctp_sf_violation_paramlen() with wrong paramter type. Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: ba0166708ef4da7eeb61dd92bbba4d5a749d6561 [log] [tgz]
author: Wei Yongjun <yjwei@cn.fujitsu.com> Tue Sep 30 05:32:24 2008 -0700
committer: David S. Miller <davem@davemloft.net> Tue Sep 30 05:32:24 2008 -0700
tree: 0e28c1d17b67d24125df4f05cbcca94c7e90ccd3
parent: 8b122efd13a227d35d5ca242561770db1b5e3658 [diff] [blame]
diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
index 2481173..029a54a 100644
--- a/include/net/sctp/sm.h
+++ b/include/net/sctp/sm.h

@@ -227,6 +227,9 @@
 				   const struct sctp_chunk *,
 				   const __u8 *,
 				   const size_t );
+struct sctp_chunk *sctp_make_violation_paramlen(const struct sctp_association *,
+				   const struct sctp_chunk *,
+				   struct sctp_paramhdr *);
 struct sctp_chunk *sctp_make_heartbeat(const struct sctp_association *,
 				  const struct sctp_transport *,
 				  const void *payload,
commit	ba0166708ef4da7eeb61dd92bbba4d5a749d6561	[log] [tgz]
author	Wei Yongjun <yjwei@cn.fujitsu.com>	Tue Sep 30 05:32:24 2008 -0700
committer	David S. Miller <davem@davemloft.net>	Tue Sep 30 05:32:24 2008 -0700
tree	0e28c1d17b67d24125df4f05cbcca94c7e90ccd3
parent	8b122efd13a227d35d5ca242561770db1b5e3658 [diff] [blame]