diff options
author | Vlad Yasevich <vladislav.yasevich@hp.com> | 2008-08-28 01:09:49 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-08-28 01:09:49 +0200 |
commit | d97240552cd98c4b07322f30f66fd9c3ba4171de (patch) | |
tree | 61a8fd1ace711bcf2c832d0c453d8fbf6f8f3003 /net/sctp/socket.c | |
parent | sctp: correct bounds check in sctp_setsockopt_auth_key (diff) | |
download | linux-d97240552cd98c4b07322f30f66fd9c3ba4171de.tar.xz linux-d97240552cd98c4b07322f30f66fd9c3ba4171de.zip |
sctp: fix random memory dereference with SCTP_HMAC_IDENT option.
The number of identifiers needs to be checked against the option
length. Also, the identifier index provided needs to be verified
to make sure that it doesn't exceed the bounds of the array.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to '')
-rw-r--r-- | net/sctp/socket.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 9b9b2c31dd15..5ffb9dec1c3f 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -3086,6 +3086,7 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk, int optlen) { struct sctp_hmacalgo *hmacs; + u32 idents; int err; if (!sctp_auth_enable) @@ -3103,8 +3104,9 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk, goto out; } - if (hmacs->shmac_num_idents == 0 || - hmacs->shmac_num_idents > SCTP_AUTH_NUM_HMACS) { + idents = hmacs->shmac_num_idents; + if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS || + (idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo))) { err = -EINVAL; goto out; } |