From: Dong Chenchen dongchenchen2@huawei.com
hulk inclusion category: bugfix bugzilla: 188766 CVE: NA
----------------------------------------
The stream->incnt is used to record number of stream_in. sctp_stream_alloc_in() allocate array of incnt size for sctp_stream_in. If array is allocated successfully in sctp_stream_init(), stream->incnt should be updated with variable incnt.
Fixes: 703397c74f8f5("sctp: leave the err path free in sctp_stream_init to sctp_stream_fre") Signed-off-by: Dong Chenchen dongchenchen2@huawei.com Reviewed-by: Liu Jian liujian56@huawei.com Signed-off-by: Zhang Changzhong zhangchangzhong@huawei.com --- net/sctp/stream.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/sctp/stream.c b/net/sctp/stream.c index 435cbf4549e7..c500d4e22cda 100644 --- a/net/sctp/stream.c +++ b/net/sctp/stream.c @@ -242,7 +242,11 @@ int sctp_stream_init(struct sctp_stream *stream, __u16 outcnt, __u16 incnt, if (!incnt) return 0;
- return sctp_stream_alloc_in(stream, incnt, gfp); + ret = sctp_stream_alloc_in(stream, incnt, gfp); + if (!ret) + stream->incnt = incnt; + + return ret; }
int sctp_stream_init_ext(struct sctp_stream *stream, __u16 sid)