diff options
author | Guenter Roeck <linux@roeck-us.net> | 2013-02-27 10:57:31 +0000 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-03-20 13:10:57 -0700 |
commit | 10ad3eeffe25354f9ef7d7e530c60216f2f2e641 (patch) | |
tree | 1370399456aac55491ae4ab731579c7f76ed45db | |
parent | 8c3dec2949ac501a61c893c4c4958621420cbb82 (diff) |
net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
commit 726bc6b092da4c093eb74d13c07184b18c1af0f1 upstream.
Building sctp may fail with:
In function ‘copy_from_user’,
inlined from ‘sctp_getsockopt_assoc_stats’ at
net/sctp/socket.c:5656:20:
arch/x86/include/asm/uaccess_32.h:211:26: error: call to
‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
buffer size is not provably correct
if built with W=1 due to a missing parameter size validation
before the call to copy_from_user.
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | net/sctp/socket.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c index cedd9bf67b8..9ef5c7312e1 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -5653,6 +5653,9 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len, if (len < sizeof(sctp_assoc_t)) return -EINVAL; + /* Allow the struct to grow and fill in as much as possible */ + len = min_t(size_t, len, sizeof(sas)); + if (copy_from_user(&sas, optval, len)) return -EFAULT; @@ -5686,9 +5689,6 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len, /* Mark beginning of a new observation period */ asoc->stats.max_obs_rto = asoc->rto_min; - /* Allow the struct to grow and fill in as much as possible */ - len = min_t(size_t, len, sizeof(sas)); - if (put_user(len, optlen)) return -EFAULT; |