From 0906e20fa03afdb14faf7fd166bfe4ed67c8db55 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Mon, 20 Nov 2006 17:03:01 -0800 Subject: [PATCH] [SCTP] bug: sctp_assoc_control_transport() breakage a) struct sockaddr_storage * passed to sctp_ulpevent_make_peer_addr_change() actually points at union sctp_addr field in a structure. Then that sucker gets copied to userland, with whatever junk we might have there. b) it's actually having host-endian sin_port. Signed-off-by: Al Viro Signed-off-by: David S. Miller --- net/sctp/associola.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/sctp/associola.c b/net/sctp/associola.c index 7639044b0074..746b0b0f5ace 100644 --- a/net/sctp/associola.c +++ b/net/sctp/associola.c @@ -709,6 +709,7 @@ void sctp_assoc_control_transport(struct sctp_association *asoc, struct sctp_transport *first; struct sctp_transport *second; struct sctp_ulpevent *event; + struct sockaddr_storage addr; struct list_head *pos; int spc_state = 0; @@ -731,8 +732,9 @@ void sctp_assoc_control_transport(struct sctp_association *asoc, /* Generate and send a SCTP_PEER_ADDR_CHANGE notification to the * user. */ - event = sctp_ulpevent_make_peer_addr_change(asoc, - (struct sockaddr_storage *) &transport->ipaddr, + memset(&addr, 0, sizeof(struct sockaddr_storage)); + flip_to_n((union sctp_addr *)&addr, &transport->ipaddr); + event = sctp_ulpevent_make_peer_addr_change(asoc, &addr, 0, spc_state, error, GFP_ATOMIC); if (event) sctp_ulpq_tail_event(&asoc->ulpq, event);