Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

sctp: fix random memory dereference with SCTP_HMAC_IDENT option.

The number of identifiers needs to be checked against the option
length.  Also, the identifier index provided needs to be verified
to make sure that it doesn't exceed the bounds of the array.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vlad Yasevich 16 years ago
parent
328fc47ea0
commit
d97240552c
2 changed files with 7 additions and 2 deletions
Unified View Show Diff Stats
  1. 3 0
      net/sctp/auth.c
  2. 4 2
      net/sctp/socket.c

+ 3 - 0
net/sctp/auth.c
View File 

@@ -786,6 +786,9 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep,
 
 	for (i = 0; i < hmacs->shmac_num_idents; i++) {
 
 	for (i = 0; i < hmacs->shmac_num_idents; i++) {
 
 		id = hmacs->shmac_idents[i];
 
 		id = hmacs->shmac_idents[i];
 
 
 
+		if (id > SCTP_AUTH_HMAC_ID_MAX)
 
+			return -EOPNOTSUPP;
 
+
 
 		if (SCTP_AUTH_HMAC_ID_SHA1 == id)
 
 		if (SCTP_AUTH_HMAC_ID_SHA1 == id)
 
 			has_sha1 = 1;
 
 			has_sha1 = 1;

+ 4 - 2
net/sctp/socket.c
View File 

@@ -3086,6 +3086,7 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
 
 				    int optlen)
 
 				    int optlen)
 
 {
 
 {
 
 	struct sctp_hmacalgo *hmacs;
 
 	struct sctp_hmacalgo *hmacs;
 
+	u32 idents;
 
 	int err;
 
 	int err;
 
 
 
 	if (!sctp_auth_enable)
 
 	if (!sctp_auth_enable)
 
@@ -3103,8 +3104,9 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
 
 		goto out;
 
 		goto out;
 
 	}
 
 	}
 
 
 
-	if (hmacs->shmac_num_idents == 0 ||
 
-	    hmacs->shmac_num_idents > SCTP_AUTH_NUM_HMACS) {
 
+	idents = hmacs->shmac_num_idents;
 
+	if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS ||
 
+	    (idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo))) {
 
 		err = -EINVAL;
 
 		err = -EINVAL;
 
 		goto out;
 
 		goto out;
 
 	}
 
 	}