From: Xin Long <lucien....@gmail.com> Date: Mon, 18 Dec 2017 14:07:25 +0800
> Now when reneging events in sctp_ulpq_renege(), the variable freed > could be increased by a __u16 value twice while freed is of __u16 > type. It means freed may overflow at the second addition. > > This patch is to fix it by using __u32 type for 'freed', while at > it, also to remove 'if (chunk)' check, as all renege commands are > generated in sctp_eat_data and it can't be NULL. > > Reported-by: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com> > Signed-off-by: Xin Long <lucien....@gmail.com> Applied.
