On Tue, Mar 13, 2018 at 11:03 AM, Wei Yongjun <weiyongj...@huawei.com> wrote:
> Return error code -EINVAL in the address len check error handling
> case since 'err' can be overwrite to 0 by 'err = sctp_verify_addr()'
> in the for loop.
>
> Fixes: 2c0dbaa0c43d ("sctp: add support for SCTP_DSTADDRV4/6 Information for
> sendmsg")
> Signed-off-by: Wei Yongjun <weiyongj...@huawei.com>
> Acked-by: Neil Horman <nhor...@tuxdriver.com>
> ---
> v1 -> v2: remove the 'err' initialization
> ---
> net/sctp/socket.c | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index 7d3476a..af5cf29 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -1677,7 +1677,7 @@ static int sctp_sendmsg_new_asoc(struct sock *sk, __u16
> sflags,
> struct sctp_association *asoc;
> enum sctp_scope scope;
> struct cmsghdr *cmsg;
> - int err = -EINVAL;
> + int err;
>
> *tp = NULL;
>
> @@ -1761,16 +1761,20 @@ static int sctp_sendmsg_new_asoc(struct sock *sk,
> __u16 sflags,
> memset(daddr, 0, sizeof(*daddr));
> dlen = cmsg->cmsg_len - sizeof(struct cmsghdr);
> if (cmsg->cmsg_type == SCTP_DSTADDRV4) {
> - if (dlen < sizeof(struct in_addr))
> + if (dlen < sizeof(struct in_addr)) {
> + err = -EINVAL;
> goto free;
> + }
>
> dlen = sizeof(struct in_addr);
> daddr->v4.sin_family = AF_INET;
> daddr->v4.sin_port = htons(asoc->peer.port);
> memcpy(&daddr->v4.sin_addr, CMSG_DATA(cmsg), dlen);
> } else {
> - if (dlen < sizeof(struct in6_addr))
> + if (dlen < sizeof(struct in6_addr)) {
> + err = -EINVAL;
> goto free;
> + }
>
> dlen = sizeof(struct in6_addr);
> daddr->v6.sin6_family = AF_INET6;
>
Reviewed-by: Xin Long <lucien....@gmail.com>
