diff options
author | David S. Miller <davem@davemloft.net> | 2008-06-21 07:04:34 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-06-21 07:04:34 +0200 |
commit | 735ce972fbc8a65fb17788debd7bbe7b4383cc62 (patch) | |
tree | b047160a720011021b148350e42d8cc020f06a61 /net/sctp/socket.c | |
parent | pppoe: warning fix (diff) | |
download | linux-735ce972fbc8a65fb17788debd7bbe7b4383cc62.tar.xz linux-735ce972fbc8a65fb17788debd7bbe7b4383cc62.zip |
sctp: Make sure N * sizeof(union sctp_addr) does not overflow.
As noticed by Gabriel Campana, the kmalloc() length arg
passed in by sctp_getsockopt_local_addrs_old() can overflow
if ->addr_num is large enough.
Therefore, enforce an appropriate limit.
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to '')
-rw-r--r-- | net/sctp/socket.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c index e7e3baf7009e..0dbcde6758ea 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -4401,7 +4401,9 @@ static int sctp_getsockopt_local_addrs_old(struct sock *sk, int len, if (copy_from_user(&getaddrs, optval, len)) return -EFAULT; - if (getaddrs.addr_num <= 0) return -EINVAL; + if (getaddrs.addr_num <= 0 || + getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr))) + return -EINVAL; /* * For UDP-style sockets, id specifies the association to query. * If the id field is set to the value '0' then the locally bound |