[SCTP]: Incorrect length was used in SCTP_*_AUTH_CHUNKS socket option

[~andy/linux] / net / sctp / socket.c

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 44797ad88a05b9527e48f6fca47765308829e083..848df21dc6c12df7b014ba80a4dd9ba373509dfc 100644 (file)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -5070,6 +5070,7 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
        struct sctp_authchunks val;
        struct sctp_association *asoc;
        struct sctp_chunks_param *ch;
+       u32    num_chunks;
        char __user *to;
 
        if (len <= sizeof(struct sctp_authchunks))
@@ -5086,10 +5087,11 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
        ch = asoc->peer.peer_chunks;
 
        /* See if the user provided enough room for all the data */
-       if (len < ntohs(ch->param_hdr.length))
+       num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
+       if (len < num_chunks)
                return -EINVAL;
 
-       len = ntohs(ch->param_hdr.length);
+       len = num_chunks;
        if (put_user(len, optlen))
                return -EFAULT;
        if (copy_to_user(to, ch->chunks, len))
@@ -5105,6 +5107,7 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len,
        struct sctp_authchunks val;
        struct sctp_association *asoc;
        struct sctp_chunks_param *ch;
+       u32    num_chunks;
        char __user *to;
 
        if (len <= sizeof(struct sctp_authchunks))
@@ -5123,10 +5126,11 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len,
        else
                ch = sctp_sk(sk)->ep->auth_chunk_list;
 
-       if (len < ntohs(ch->param_hdr.length))
+       num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
+       if (len < num_chunks)
                return -EINVAL;
 
-       len = ntohs(ch->param_hdr.length);
+       len = num_chunks;
        if (put_user(len, optlen))
                return -EFAULT;
        if (copy_to_user(to, ch->chunks, len))