• R/O
  • HTTP
  • SSH
  • HTTPS

linux-2.4.36: Commit

2.4.36-stable kernel tree


Commit MetaInfo

Revisionb42297369f3b0994fd1551860737cfb68f4f97ca (tree)
Time2008-09-06 20:35:25
AuthorDavid S. Miller <davem@dave...>
CommiterWilly Tarreau

Log Message

sctp: Make sure N * sizeof(union sctp_addr) does not overflow (CVE-2008-2826)

[backport of 2.6 commit 735ce972fbc8a65fb17788debd7bbe7b4383cc62]

As noticed by Gabriel Campana, the kmalloc() length arg
passed in by sctp_getsockopt_local_addrs_old() can overflow
if ->addr_num is large enough.

Therefore, enforce an appropriate limit.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>

Change Summary

Incremental Difference

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3175,7 +3175,9 @@ static int sctp_getsockopt_local_addrs(struct sock *sk, int len,
31753175 if (copy_from_user(&getaddrs, optval, sizeof(struct sctp_getaddrs)))
31763176 return -EFAULT;
31773177
3178- if (getaddrs.addr_num <= 0) return -EINVAL;
3178+ if (getaddrs.addr_num <= 0 ||
3179+ getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr)))
3180+ return -EINVAL;
31793181 /*
31803182 * For UDP-style sockets, id specifies the association to query.
31813183 * If the id field is set to the value '0' then the locally bound
Show on old repository browser