Home » Mailing list archives » linux-kernel » 2008 » June » 23

[patch 03/10] sctp: Make sure N * sizeof(union sctp_addr) does not overflow.

!MAILaRCHIVE_VOTE_RePLACE
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Greg KH <gregkh@...>
To: <linux-kernel@...>, <stable@...>
Cc: Justin Forbes <jmforbes@...>, Zwane Mwaikambo <zwane@...>, Theodore Ts'o <tytso@...>, Randy Dunlap <rdunlap@...>, Dave Jones <davej@...>, Chuck Wolber <chuckw@...>, Chris Wedgwood <reviews@...>, Michael Krufky <mkrufky@...>, Chuck Ebbert <cebbert@...>, Domenico Andreoli <cavokz@...>, Willy Tarreau <w@...>, Rodrigo Rubira Branco <rbranco@...>, <torvalds@...>, <akpm@...>, <alan@...>, David S. Miller <davem@...>
Subject: [patch 03/10] sctp: Make sure N * sizeof(union sctp_addr) does not overflow.
Date: Monday, June 23, 2008 - 7:05 pm

2.6.25.9-stable review patch.  If anyone has any objections, please let
us know.

------------------ 
From: David S. Miller <davem@davemloft.net>

commit 735ce972fbc8a65fb17788debd7bbe7b4383cc62 upstream

As noticed by Gabriel Campana, the kmalloc() length arg
passed in by sctp_getsockopt_local_addrs_old() can overflow
if ->addr_num is large enough.

Therefore, enforce an appropriate limit.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 net/sctp/socket.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4421,7 +4421,9 @@ static int sctp_getsockopt_local_addrs_o
 	if (copy_from_user(&getaddrs, optval, len))
 		return -EFAULT;
 
-	if (getaddrs.addr_num <= 0) return -EINVAL;
+	if (getaddrs.addr_num <= 0 ||
+	    getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr)))
+		return -EINVAL;
 	/*
 	 *  For UDP-style sockets, id specifies the association to query.
 	 *  If the id field is set to the value '0' then the locally bound

-- 
--
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
[patch 00/10] 2.6.28.9-rc2 review, Greg KH, (Mon Jun 23, 7:04 pm)
Re: [patch 00/10] 2.6.28.9-rc2 review, Greg KH, (Mon Jun 23, 7:22 pm)
[patch 04/10] x86: use BOOTMEM_EXCLUSIVE on 32-bit, Greg KH, (Mon Jun 23, 7:05 pm)
[patch 03/10] sctp: Make sure N * sizeof(union sctp_addr) do..., Greg KH, (Mon Jun 23, 7:05 pm)
[patch 02/10] Reinstate ZERO_PAGE optimization in get_user_p..., Greg KH, (Mon Jun 23, 7:05 pm)
[patch 01/10] atl1: relax eeprom mac address error check, Greg KH, (Mon Jun 23, 7:05 pm)
[patch 07/10] watchdog: hpwdt: fix use of inline assembly, Greg KH, (Mon Jun 23, 7:05 pm)
[patch 06/10] Add return value to reserve_bootmem_node(), Greg KH, (Mon Jun 23, 7:04 pm)
Re: [patch 06/10] Add return value to reserve_bootmem_node(), Adrian Bunk, (Tue Jun 24, 7:06 am)
Re: [patch 06/10] Add return value to reserve_bootmem_node(), Greg KH, (Tue Jun 24, 5:07 pm)
[patch 05/10] x86: set PAE PHYSICAL_MASK_SHIFT to 44 bits., Greg KH, (Mon Jun 23, 7:04 pm)
[patch 10/10] Fix ZERO_PAGE breakage with vmware, Greg KH, (Mon Jun 23, 7:04 pm)
Re: [patch 10/10] Fix ZERO_PAGE breakage with vmware, Linus Torvalds, (Mon Jun 23, 7:28 pm)
Re: [patch 10/10] Fix ZERO_PAGE breakage with vmware, Greg KH, (Tue Jun 24, 2:04 am)
[patch 09/10] hwmon: (adt7473) Initialize max_duty_at_overhe..., Greg KH, (Mon Jun 23, 7:04 pm)
[patch 08/10] hwmon: (lm85) Fix function RANGE_TO_REG(), Greg KH, (Mon Jun 23, 7:04 pm)