diff options
Diffstat (limited to 'trunk/2.6.18/30077_sctp-make-sure-n-sizeof-does-not-overflow.patch')
-rw-r--r-- | trunk/2.6.18/30077_sctp-make-sure-n-sizeof-does-not-overflow.patch | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/trunk/2.6.18/30077_sctp-make-sure-n-sizeof-does-not-overflow.patch b/trunk/2.6.18/30077_sctp-make-sure-n-sizeof-does-not-overflow.patch new file mode 100644 index 0000000..a36c02d --- /dev/null +++ b/trunk/2.6.18/30077_sctp-make-sure-n-sizeof-does-not-overflow.patch @@ -0,0 +1,29 @@ +commit 735ce972fbc8a65fb17788debd7bbe7b4383cc62 +Author: David S. Miller <davem@davemloft.net> +Date: Fri Jun 20 22:04:34 2008 -0700 + + sctp: Make sure N * sizeof(union sctp_addr) does not overflow. + + As noticed by Gabriel Campana, the kmalloc() length arg + passed in by sctp_getsockopt_local_addrs_old() can overflow + if ->addr_num is large enough. + + Therefore, enforce an appropriate limit. + + Signed-off-by: David S. Miller <davem@davemloft.net> + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index e7e3baf..0dbcde6 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -4401,7 +4401,9 @@ static int sctp_getsockopt_local_addrs_old(struct sock *sk, int len, + if (copy_from_user(&getaddrs, optval, len)) + return -EFAULT; + +- if (getaddrs.addr_num <= 0) return -EINVAL; ++ if (getaddrs.addr_num <= 0 || ++ getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr))) ++ return -EINVAL; + /* + * For UDP-style sockets, id specifies the association to query. + * If the id field is set to the value '0' then the locally bound |