Accueil Explorer Aide
S'inscrire Connexion
phyus
/
linux-vybrid_public
8
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Parcourir la source

sctp: Make sure N * sizeof(union sctp_addr) does not overflow.

As noticed by Gabriel Campana, the kmalloc() length arg
passed in by sctp_getsockopt_local_addrs_old() can overflow
if ->addr_num is large enough.

Therefore, enforce an appropriate limit.

Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller il y a 17 ans
Parent
2645a3c376
commit
735ce972fb
1 fichiers modifiés avec 3 ajouts et 1 suppressions
Vue séparée Afficher les stats Diff
  1. 3 1
      net/sctp/socket.c

+ 3 - 1
net/sctp/socket.c
Voir le fichier 

@@ -4401,7 +4401,9 @@ static int sctp_getsockopt_local_addrs_old(struct sock *sk, int len,
 
 	if (copy_from_user(&getaddrs, optval, len))
 
 		return -EFAULT;
 
 
-	if (getaddrs.addr_num <= 0) return -EINVAL;
 
+	if (getaddrs.addr_num <= 0 ||
 
+	    getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr)))
 
+		return -EINVAL;
 
 	/*
 
 	 *  For UDP-style sockets, id specifies the association to query.
 
 	 *  If the id field is set to the value '0' then the locally bound