From: Xin Long <lucien.xin@gmail.com>
Date: Tue, 30 Jul 2019 12:38:20 +0000 (+0800)
Subject: sctp: check addr_size with sa_family_t size in __sctp_setsockopt_connectx
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=f40f1177c38cb642b65af9f077bc56241e2b41c2;p=linux.git

sctp: check addr_size with sa_family_t size in __sctp_setsockopt_connectx

Now __sctp_connect() is called by __sctp_setsockopt_connectx() and
sctp_inet_connect(), the latter has done addr_size check with size
of sa_family_t.

In the next patch to clean up __sctp_connect(), we will remove
addr_size check with size of sa_family_t from __sctp_connect()
for the 1st address.

So before doing that, __sctp_setsockopt_connectx() should do
this check first, as sctp_inet_connect() does.

Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index aa80cda365811..e9c5b3930ae6f 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1311,7 +1311,8 @@ static int __sctp_setsockopt_connectx(struct sock *sk,
 	pr_debug("%s: sk:%p addrs:%p addrs_size:%d\n",
 		 __func__, sk, addrs, addrs_size);
 
-	if (unlikely(addrs_size <= 0))
+	/* make sure the 1st addr's sa_family is accessible later */
+	if (unlikely(addrs_size < sizeof(sa_family_t)))
 		return -EINVAL;
 
 	kaddrs = memdup_user(addrs, addrs_size);