This is a note to let you know that I've just added the patch titled
sctp: make use of pre-calculated len
to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is: sctp-make-use-of-pre-calculated-len.patch and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree, please let stable@vger.kernel.org know about it.
From foo@baz Wed Feb 28 16:23:28 CET 2018
From: Marcelo Ricardo Leitner marcelo.leitner@gmail.com Date: Mon, 8 Jan 2018 19:02:29 -0200 Subject: sctp: make use of pre-calculated len
From: Marcelo Ricardo Leitner marcelo.leitner@gmail.com
[ Upstream commit c76f97c99ae6d26d14c7f0e50e074382bfbc9f98 ]
Some sockopt handling functions were calculating the length of the buffer to be written to userspace and then calculating it again when actually writing the buffer, which could lead to some write not using an up-to-date length.
This patch updates such places to just make use of the len variable.
Also, replace some sizeof(type) to sizeof(var).
Signed-off-by: Marcelo Ricardo Leitner marcelo.leitner@gmail.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin alexander.levin@verizon.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/sctp/socket.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-)
--- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -4957,7 +4957,7 @@ static int sctp_getsockopt_autoclose(str len = sizeof(int); if (put_user(len, optlen)) return -EFAULT; - if (copy_to_user(optval, &sctp_sk(sk)->autoclose, sizeof(int))) + if (copy_to_user(optval, &sctp_sk(sk)->autoclose, len)) return -EFAULT; return 0; } @@ -5588,6 +5588,9 @@ copy_getaddrs: err = -EFAULT; goto out; } + /* XXX: We should have accounted for sizeof(struct sctp_getaddrs) too, + * but we can't change it anymore. + */ if (put_user(bytes_copied, optlen)) err = -EFAULT; out: @@ -6024,7 +6027,7 @@ static int sctp_getsockopt_maxseg(struct params.assoc_id = 0; } else if (len >= sizeof(struct sctp_assoc_value)) { len = sizeof(struct sctp_assoc_value); - if (copy_from_user(¶ms, optval, sizeof(params))) + if (copy_from_user(¶ms, optval, len)) return -EFAULT; } else return -EINVAL; @@ -6194,7 +6197,9 @@ static int sctp_getsockopt_active_key(st
if (len < sizeof(struct sctp_authkeyid)) return -EINVAL; - if (copy_from_user(&val, optval, sizeof(struct sctp_authkeyid))) + + len = sizeof(struct sctp_authkeyid); + if (copy_from_user(&val, optval, len)) return -EFAULT;
asoc = sctp_id2assoc(sk, val.scact_assoc_id); @@ -6206,7 +6211,6 @@ static int sctp_getsockopt_active_key(st else val.scact_keynumber = ep->active_key_id;
- len = sizeof(struct sctp_authkeyid); if (put_user(len, optlen)) return -EFAULT; if (copy_to_user(optval, &val, len)) @@ -6232,7 +6236,7 @@ static int sctp_getsockopt_peer_auth_chu if (len < sizeof(struct sctp_authchunks)) return -EINVAL;
- if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks))) + if (copy_from_user(&val, optval, sizeof(val))) return -EFAULT;
to = p->gauth_chunks; @@ -6277,7 +6281,7 @@ static int sctp_getsockopt_local_auth_ch if (len < sizeof(struct sctp_authchunks)) return -EINVAL;
- if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks))) + if (copy_from_user(&val, optval, sizeof(val))) return -EFAULT;
to = p->gauth_chunks;
Patches currently in stable-queue which might be from marcelo.leitner@gmail.com are
queue-4.14/sctp-make-use-of-pre-calculated-len.patch queue-4.14/sctp-add-a-ceiling-to-optlen-in-some-sockopts.patch queue-4.14/sctp-fix-the-issue-that-a-__u16-variable-may-overflow-in-sctp_ulpq_renege.patch