| From 7bcd9afb203f780afb7fddaf7604166912129c4e Mon Sep 17 00:00:00 2001 |
| From: Vlad Yasevich <vladislav.yasevich@hp.com> |
| Date: Wed, 3 Sep 2008 01:02:19 -0700 |
| Subject: sctp: correct bounds check in sctp_setsockopt_auth_key |
| |
| From: Vlad Yasevich <vladislav.yasevich@hp.com> |
| |
| [ Upstream commit 328fc47ea0bcc27d9afa69c3ad6e52431cadd76c ] |
| |
| The bonds check to prevent buffer overlflow was not exactly |
| right. It still allowed overflow of up to 8 bytes which is |
| sizeof(struct sctp_authkey). |
| |
| Since optlen is already checked against the size of that struct, |
| we are guaranteed not to cause interger overflow either. |
| |
| Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/sctp/socket.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/sctp/socket.c |
| +++ b/net/sctp/socket.c |
| @@ -3072,7 +3072,7 @@ static int sctp_setsockopt_auth_key(stru |
| goto out; |
| } |
| |
| - if (authkey->sca_keylength > optlen) { |
| + if (authkey->sca_keylength > optlen - sizeof(struct sctp_authkey)) { |
| ret = -EINVAL; |
| goto out; |
| } |
