diff options
author | Xin Long <lucien.xin@gmail.com> | 2017-12-18 14:07:25 +0800 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2017-12-18 13:21:46 -0500 |
commit | 5c468674d17056148da06218d4da5d04baf22eac (patch) | |
tree | 65dc8499eee2f0c96094daa1493e9259a0f57a3e /CREDITS | |
parent | ac3241d5c81bf6e85095481435f29a4627ff820e (diff) |
sctp: fix the issue that a __u16 variable may overflow in sctp_ulpq_renege
Now when reneging events in sctp_ulpq_renege(), the variable freed
could be increased by a __u16 value twice while freed is of __u16
type. It means freed may overflow at the second addition.
This patch is to fix it by using __u32 type for 'freed', while at
it, also to remove 'if (chunk)' check, as all renege commands are
generated in sctp_eat_data and it can't be NULL.
Reported-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'CREDITS')
0 files changed, 0 insertions, 0 deletions