summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2008-06-20 22:04:34 -0700
committerGreg Kroah-Hartman <gregkh@suse.de>2008-06-24 14:08:29 -0700
commitbd3aae04b2b17300b33e2e1b89482715c2cf7de3 (patch)
tree2aca95657b8b5d669f434f5adf9c42f65cf0d156
parent489cf6b0ade32067774b89e8e822a012d3f3bb96 (diff)
downloadlwn-bd3aae04b2b17300b33e2e1b89482715c2cf7de3.tar.gz
lwn-bd3aae04b2b17300b33e2e1b89482715c2cf7de3.zip
sctp: Make sure N * sizeof(union sctp_addr) does not overflow.
commit 735ce972fbc8a65fb17788debd7bbe7b4383cc62 upstream As noticed by Gabriel Campana, the kmalloc() length arg passed in by sctp_getsockopt_local_addrs_old() can overflow if ->addr_num is large enough. Therefore, enforce an appropriate limit. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--net/sctp/socket.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 998e63a31311..2d422607b709 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4421,7 +4421,9 @@ static int sctp_getsockopt_local_addrs_old(struct sock *sk, int len,
if (copy_from_user(&getaddrs, optval, len))
return -EFAULT;
- if (getaddrs.addr_num <= 0) return -EINVAL;
+ if (getaddrs.addr_num <= 0 ||
+ getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr)))
+ return -EINVAL;
/*
* For UDP-style sockets, id specifies the association to query.
* If the id field is set to the value '0' then the locally bound