[patch 3/5] sctp: Make sure N * sizeof(union sctp_addr) does not overflow.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: <linux-kernel@...>, <stable@...>

Cc: Justin Forbes <jmforbes@...>, Zwane Mwaikambo <zwane@...>, Theodore Ts'o <tytso@...>, Randy Dunlap <rdunlap@...>, Dave Jones <davej@...>, Chuck Wolber <chuckw@...>, Chris Wedgwood <reviews@...>, Michael Krufky <mkrufky@...>, Chuck Ebbert <cebbert@...>, Domenico Andreoli <cavokz@...>, Willy Tarreau <w@...>, Rodrigo Rubira Branco <rbranco@...>, <torvalds@...>, <akpm@...>, <alan@...>, David S. Miller <davem@...>

Subject: [patch 3/5] sctp: Make sure N * sizeof(union sctp_addr) does not overflow.

Date: Sunday, June 22, 2008 - 3:01 pm

2.6.25-stable review patch.  If anyone has any objections, please let us
know.

------------------
From: David S. Miller <davem@davemloft.net>

commit 735ce972fbc8a65fb17788debd7bbe7b4383cc62 upstream

As noticed by Gabriel Campana, the kmalloc() length arg
passed in by sctp_getsockopt_local_addrs_old() can overflow
if ->addr_num is large enough.

Therefore, enforce an appropriate limit.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 net/sctp/socket.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4421,7 +4421,9 @@ static int sctp_getsockopt_local_addrs_o
 	if (copy_from_user(&getaddrs, optval, len))
 		return -EFAULT;
 
-	if (getaddrs.addr_num <= 0) return -EINVAL;
+	if (getaddrs.addr_num <= 0 ||
+	    getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr)))
+		return -EINVAL;
 	/*
 	 *  For UDP-style sockets, id specifies the association to query.
 	 *  If the id field is set to the value '0' then the locally bound

-- 
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[patch 0/5] 2.6.25-stable review, Greg KH, (Sun Jun 22, 3:01 pm)

Re: [patch 0/5] 2.6.25-stable review, S.Çağlar, (Mon Jun 23, 7:19 am)

Re: [stable] [patch 0/5] 2.6.25-stable review, Greg KH, (Mon Jun 23, 3:30 pm)

[patch 5/5] x86: set PAE PHYSICAL_MASK_SHIFT to 44 bits., , (Sun Jun 22, 3:01 pm)

[patch 1/5] atl1: relax eeprom mac address error check, Greg KH, (Sun Jun 22, 3:01 pm)

[patch 2/5] Reinstate ZERO_PAGE optimization in get_user_pag..., Greg KH, (Sun Jun 22, 3:01 pm)

Re: [patch 2/5] Reinstate ZERO_PAGE optimization in get_user..., Linus Torvalds, (Sun Jun 22, 3:22 pm)

Re: [patch 2/5] Reinstate ZERO_PAGE optimization in get_user..., Greg KH, (Sun Jun 22, 4:29 pm)

Re: [patch 2/5] Reinstate ZERO_PAGE optimization in get_user..., Jeff Chua, (Mon Jun 23, 11:32 am)

Re: [patch 2/5] Reinstate ZERO_PAGE optimization in get_user..., Hugh Dickins, (Mon Jun 23, 12:04 pm)

Re: [patch 2/5] Reinstate ZERO_PAGE optimization in get_user..., Linus Torvalds, (Mon Jun 23, 12:39 pm)

Re: [patch 2/5] Reinstate ZERO_PAGE optimization in get_user..., Jeff Chua, (Mon Jun 23, 1:05 pm)

Re: [patch 2/5] Reinstate ZERO_PAGE optimization in get_user..., Linus Torvalds, (Mon Jun 23, 1:27 pm)

Re: [patch 2/5] Reinstate ZERO_PAGE optimization in get_user..., Jeff Chua, (Mon Jun 23, 2:15 pm)

Re: [patch 2/5] Reinstate ZERO_PAGE optimization in get_user..., Linus Torvalds, (Mon Jun 23, 2:32 pm)

[patch 3/5] sctp: Make sure N * sizeof(union sctp_addr) does..., Greg KH, (Sun Jun 22, 3:01 pm)

Re: [patch 3/5] sctp: Make sure N * sizeof(union sctp_addr) ..., David Miller, (Sun Jun 22, 3:23 pm)

Re: [patch 3/5] sctp: Make sure N * sizeof(union sctp_addr) ..., Greg KH, (Sun Jun 22, 4:28 pm)

Re: [patch 3/5] sctp: Make sure N * sizeof(union sctp_addr) ..., David Miller, (Mon Jun 23, 5:36 pm)

Re: [patch 3/5] sctp: Make sure N * sizeof(union sctp_addr) ..., Greg KH, (Mon Jun 23, 5:43 pm)

[patch 4/5] x86: use BOOTMEM_EXCLUSIVE on 32-bit, Greg KH, (Sun Jun 22, 3:01 pm)

Re: [patch 4/5] x86: use BOOTMEM_EXCLUSIVE on 32-bit, Johannes Weiner, (Sun Jun 22, 4:22 pm)

Re: [patch 4/5] x86: use BOOTMEM_EXCLUSIVE on 32-bit, Greg KH, (Sun Jun 22, 4:30 pm)

Re: [patch 4/5] x86: use BOOTMEM_EXCLUSIVE on 32-bit, Linus Torvalds, (Sun Jun 22, 4:36 pm)

Re: [patch 4/5] x86: use BOOTMEM_EXCLUSIVE on 32-bit, Ingo Molnar, (Mon Jun 23, 4:09 am)

Re: [stable] [patch 4/5] x86: use BOOTMEM_EXCLUSIVE on 32-bit, Greg KH, (Mon Jun 23, 3:20 pm)

Re: [stable] [patch 4/5] x86: use BOOTMEM_EXCLUSIVE on 32-bit, Ingo Molnar, (Mon Jun 23, 3:36 pm)

Re: [patch 4/5] x86: use BOOTMEM_EXCLUSIVE on 32-bit, Bernhard Walle, (Mon Jun 23, 6:33 am)

Re: [patch 4/5] x86: use BOOTMEM_EXCLUSIVE on 32-bit, Ingo Molnar, (Mon Jun 23, 6:53 am)

Re: [patch 4/5] x86: use BOOTMEM_EXCLUSIVE on 32-bit, Bernhard Walle, (Mon Jun 23, 9:21 am)

Re: [patch 4/5] x86: use BOOTMEM_EXCLUSIVE on 32-bit, Adrian Bunk, (Sun Jun 22, 4:36 pm)


linux-kernel:
Ingo Molnar	Re: containers (was Re: -mm merge plans for 2.6.23)
Greg Kroah-Hartman	[PATCH 009/196] Chinese: add translation of sparse.txt
holzheu	Re: [RFC/PATCH] Documentation of kernel messages
Vladislav Bolkhovitin	Re: Integration of SCST in the mainstream Linux kernel
git:

linux-netdev:
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
David Miller	[GIT]: Networking
Antonio Almeida	HTB accuracy for high speed
openbsd-misc:

[patch 3/5] sctp: Make sure N * sizeof(union sctp_addr) does not overflow.

Online users