sctp: Fix a big endian bug in sctp_diag_dump()
authorDan Carpenter <dan.carpenter@oracle.com>
Mon, 25 Sep 2017 10:19:26 +0000 (13:19 +0300)
committerDavid S. Miller <davem@davemloft.net>
Wed, 27 Sep 2017 04:16:29 +0000 (21:16 -0700)
The sctp_for_each_transport() function takes an pointer to int.  The
cb->args[] array holds longs so it's only using the high 32 bits.  It
works on little endian system but will break on big endian 64 bit
machines.

Fixes: d25adbeb0cdb ("sctp: fix an use-after-free issue in sctp_sock_dump")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sctp/sctp_diag.c

index 22ed01a76b19cbd8af715f9a31f5c2d39312ce74..a72a7d925d4631e30cfb0743df392ff4cef456ca 100644 (file)
@@ -463,6 +463,7 @@ static void sctp_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
                .r = r,
                .net_admin = netlink_net_capable(cb->skb, CAP_NET_ADMIN),
        };
+       int pos = cb->args[2];
 
        /* eps hashtable dumps
         * args:
@@ -493,7 +494,8 @@ skip:
                goto done;
 
        sctp_for_each_transport(sctp_sock_filter, sctp_sock_dump,
-                               net, (int *)&cb->args[2], &commp);
+                               net, &pos, &commp);
+       cb->args[2] = pos;
 
 done:
        cb->args[1] = cb->args[4];