| From ddfe8ddeda4fc1fa7cd39462af39d2d7b3423c3c Mon Sep 17 00:00:00 2001 |
| From: Vlad Yasevich <vladislav.yasevich@hp.com> |
| Date: Wed, 3 Sep 2008 01:02:37 -0700 |
| Subject: sctp: fix random memory dereference with SCTP_HMAC_IDENT option. |
| |
| From: Vlad Yasevich <vladislav.yasevich@hp.com> |
| |
| [ Upstream commit d97240552cd98c4b07322f30f66fd9c3ba4171de ] |
| |
| The number of identifiers needs to be checked against the option |
| length. Also, the identifier index provided needs to be verified |
| to make sure that it doesn't exceed the bounds of the array. |
| |
| Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/sctp/auth.c | 3 +++ |
| net/sctp/socket.c | 6 ++++-- |
| 2 files changed, 7 insertions(+), 2 deletions(-) |
| |
| --- a/net/sctp/auth.c |
| +++ b/net/sctp/auth.c |
| @@ -786,6 +786,9 @@ int sctp_auth_ep_set_hmacs(struct sctp_e |
| for (i = 0; i < hmacs->shmac_num_idents; i++) { |
| id = hmacs->shmac_idents[i]; |
| |
| + if (id > SCTP_AUTH_HMAC_ID_MAX) |
| + return -EOPNOTSUPP; |
| + |
| if (SCTP_AUTH_HMAC_ID_SHA1 == id) |
| has_sha1 = 1; |
| |
| --- a/net/sctp/socket.c |
| +++ b/net/sctp/socket.c |
| @@ -3014,6 +3014,7 @@ static int sctp_setsockopt_hmac_ident(st |
| int optlen) |
| { |
| struct sctp_hmacalgo *hmacs; |
| + u32 idents; |
| int err; |
| |
| if (!sctp_auth_enable) |
| @@ -3031,8 +3032,9 @@ static int sctp_setsockopt_hmac_ident(st |
| goto out; |
| } |
| |
| - if (hmacs->shmac_num_idents == 0 || |
| - hmacs->shmac_num_idents > SCTP_AUTH_NUM_HMACS) { |
| + idents = hmacs->shmac_num_idents; |
| + if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS || |
| + (idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo))) { |
| err = -EINVAL; |
| goto out; |
| } |