This check is missing an upper bound. Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> --- This should go in 3.8 -stable as well. diff --git a/net/sctp/socket.c b/net/sctp/socket.c index c99458d..fbd8386 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -5652,6 +5652,8 @@ static int sctp_getsockopt_assoc_stats(struct sock *sk, int len, /* User must provide at least the assoc id */ if (len < sizeof(sctp_assoc_t)) return -EINVAL; + if (len > sizeof(struct sctp_assoc_stats)) + len = sizeof(struct sctp_assoc_stats); if (copy_from_user(&sas, optval, len)) return -EFAULT; -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html