[SCTP]: Incorrect length was used in SCTP_*_AUTH_CHUNKS socket option
The chunks are stored inside a parameter structure in the kernel
and when we copy them to the user, we need to account for
the parameter header.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 44797ad..848df21 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -5070,6 +5070,7 @@
struct sctp_authchunks val;
struct sctp_association *asoc;
struct sctp_chunks_param *ch;
+ u32 num_chunks;
char __user *to;
if (len <= sizeof(struct sctp_authchunks))
@@ -5086,10 +5087,11 @@
ch = asoc->peer.peer_chunks;
/* See if the user provided enough room for all the data */
- if (len < ntohs(ch->param_hdr.length))
+ num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
+ if (len < num_chunks)
return -EINVAL;
- len = ntohs(ch->param_hdr.length);
+ len = num_chunks;
if (put_user(len, optlen))
return -EFAULT;
if (copy_to_user(to, ch->chunks, len))
@@ -5105,6 +5107,7 @@
struct sctp_authchunks val;
struct sctp_association *asoc;
struct sctp_chunks_param *ch;
+ u32 num_chunks;
char __user *to;
if (len <= sizeof(struct sctp_authchunks))
@@ -5123,10 +5126,11 @@
else
ch = sctp_sk(sk)->ep->auth_chunk_list;
- if (len < ntohs(ch->param_hdr.length))
+ num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
+ if (len < num_chunks)
return -EINVAL;
- len = ntohs(ch->param_hdr.length);
+ len = num_chunks;
if (put_user(len, optlen))
return -EFAULT;
if (copy_to_user(to, ch->chunks, len))
