fixup: sctp: verify size of a new chunk in _sctp_make_chunk()

Ben writes:
> > +	int chunklen;
> > +
> > +	chunklen = sizeof(*chunk_hdr) + paylen;
>
> I think this length still needs to be rounded up (with WORD_ROUND here,
> instead of SCTP_PAD4 upstream).

So here's a fix for this problem.

Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 6d48cbf6465d0014bccb6e8c1ee2b3438ac94089..bbf6abb6ae3c39e40494cec59dc201ca61cd932d 100644 (file)
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1369,7 +1369,7 @@ static struct sctp_chunk *_sctp_make_chunk(const struct sctp_association *asoc,
        struct sock *sk;
        int chunklen;
 
-       chunklen = sizeof(*chunk_hdr) + paylen;
+       chunklen = WORD_ROUND(sizeof(*chunk_hdr) + paylen);
        if (chunklen > SCTP_MAX_CHUNK_LEN)
                goto nodata;