2.4.36-stable kernel tree
Revision | b42297369f3b0994fd1551860737cfb68f4f97ca (tree) |
---|---|
Time | 2008-09-06 20:35:25 |
Author | David S. Miller <davem@dave...> |
Commiter | Willy Tarreau |
sctp: Make sure N * sizeof(union sctp_addr) does not overflow (CVE-2008-2826)
[backport of 2.6 commit 735ce972fbc8a65fb17788debd7bbe7b4383cc62]
As noticed by Gabriel Campana, the kmalloc() length arg
passed in by sctp_getsockopt_local_addrs_old() can overflow
if ->addr_num is large enough.
Therefore, enforce an appropriate limit.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
@@ -3175,7 +3175,9 @@ static int sctp_getsockopt_local_addrs(struct sock *sk, int len, | ||
3175 | 3175 | if (copy_from_user(&getaddrs, optval, sizeof(struct sctp_getaddrs))) |
3176 | 3176 | return -EFAULT; |
3177 | 3177 | |
3178 | - if (getaddrs.addr_num <= 0) return -EINVAL; | |
3178 | + if (getaddrs.addr_num <= 0 || | |
3179 | + getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr))) | |
3180 | + return -EINVAL; | |
3179 | 3181 | /* |
3180 | 3182 | * For UDP-style sockets, id specifies the association to query. |
3181 | 3183 | * If the id field is set to the value '0' then the locally bound |