diff options
author | Xin Long <lucien.xin@gmail.com> | 2019-07-30 14:38:19 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2019-07-30 23:18:14 +0200 |
commit | 4c31bc6b1e2ee9c21608506431783dfa525b9989 (patch) | |
tree | 93c7b9d7bea7695982a51dcdd29764f72fe3f1f7 /net/sctp/transport.c | |
parent | rxrpc: Fix -Wframe-larger-than= warnings from on-stack crypto (diff) | |
download | linux-4c31bc6b1e2ee9c21608506431783dfa525b9989.tar.xz linux-4c31bc6b1e2ee9c21608506431783dfa525b9989.zip |
sctp: only copy the available addr data in sctp_transport_init
'addr' passed to sctp_transport_init is not always a whole size
of union sctp_addr, like the path:
sctp_sendmsg() ->
sctp_sendmsg_new_asoc() ->
sctp_assoc_add_peer() ->
sctp_transport_new() -> sctp_transport_init()
In the next patches, we will also pass the address length of data
only to sctp_assoc_add_peer().
So sctp_transport_init() should copy the only available data from
addr to peer->ipaddr, instead of 'peer->ipaddr = *addr' which may
cause slab-out-of-bounds.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sctp/transport.c')
-rw-r--r-- | net/sctp/transport.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/sctp/transport.c b/net/sctp/transport.c index e2f8e369cd08..7235a6032671 100644 --- a/net/sctp/transport.c +++ b/net/sctp/transport.c @@ -43,8 +43,8 @@ static struct sctp_transport *sctp_transport_init(struct net *net, gfp_t gfp) { /* Copy in the address. */ - peer->ipaddr = *addr; peer->af_specific = sctp_get_af_specific(addr->sa.sa_family); + memcpy(&peer->ipaddr, addr, peer->af_specific->sockaddr_len); memset(&peer->saddr, 0, sizeof(union sctp_addr)); peer->sack_generation = 0; |