On Tue, Nov 13, 2018 at 02:24:53PM +0800, Xin Long wrote:
>
> /* Default Peer Address Parameters. These defaults can
> * be modified via SCTP_PEER_ADDR_PARAMS
> @@ -5267,14 +5274,24 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len,
> static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval,
> int __user *optlen)
> {
> + struct sctp_event_subscribe subscribe;
> + __u8 *sn_type = (__u8 *)&subscribe;
> + int i;
> +
> if (len == 0)
> return -EINVAL;
> if (len > sizeof(struct sctp_event_subscribe))
> len = sizeof(struct sctp_event_subscribe);
> if (put_user(len, optlen))
> return -EFAULT;
> - if (copy_to_user(optval, &sctp_sk(sk)->subscribe, len))
> +
> + for (i = 0; i <= len; i++)
> + sn_type[i] = sctp_ulpevent_type_enabled(sctp_sk(sk)->subscribe,
> + SCTP_SN_TYPE_BASE + i);
> +
This seems like an off by one error. sctp_event_subscribe has N bytes in it (1
byte for each event), meaning that that events 0-(N-1) are subscribable.
Iterating this loop imples that you are going to check N events, overrunning the
sctp_event_subscribe struct.
Neil
>
