From cecfcd3b60226d5ddd737df20853e2bba8d3ffd5 Mon Sep 17 00:00:00 2001
From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Date: Fri, 1 Oct 2010 11:16:58 +0000
Subject: [PATCH] --- yaml --- r: 211405 b: refs/heads/master c:
 d7e0d19aa0fdd22819d35db551bd54c1bcf9c2aa h: refs/heads/master i:   211403:
 e6ebe6b16139c29b05fcc75002adaef3e61d7899 v: v3

---
 [refs]                  |  2 +-
 trunk/net/sctp/socket.c | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/[refs] b/[refs]
index 8ffe8fc59b22..dd6d8dcea3a4 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 5b7c84066733c5dfb0e4016d939757b38de189e4
+refs/heads/master: d7e0d19aa0fdd22819d35db551bd54c1bcf9c2aa
diff --git a/trunk/net/sctp/socket.c b/trunk/net/sctp/socket.c
index ca44917872d2..fbb70770ad05 100644
--- a/trunk/net/sctp/socket.c
+++ b/trunk/net/sctp/socket.c
@@ -916,6 +916,11 @@ SCTP_STATIC int sctp_setsockopt_bindx(struct sock* sk,
 	/* Walk through the addrs buffer and count the number of addresses. */
 	addr_buf = kaddrs;
 	while (walk_size < addrs_size) {
+		if (walk_size + sizeof(sa_family_t) > addrs_size) {
+			kfree(kaddrs);
+			return -EINVAL;
+		}
+
 		sa_addr = (struct sockaddr *)addr_buf;
 		af = sctp_get_af_specific(sa_addr->sa_family);
 
@@ -1002,9 +1007,13 @@ static int __sctp_connect(struct sock* sk,
 	/* Walk through the addrs buffer and count the number of addresses. */
 	addr_buf = kaddrs;
 	while (walk_size < addrs_size) {
+		if (walk_size + sizeof(sa_family_t) > addrs_size) {
+			err = -EINVAL;
+			goto out_free;
+		}
+
 		sa_addr = (union sctp_addr *)addr_buf;
 		af = sctp_get_af_specific(sa_addr->sa.sa_family);
-		port = ntohs(sa_addr->v4.sin_port);
 
 		/* If the address family is not supported or if this address
 		 * causes the address buffer to overflow return EINVAL.
@@ -1014,6 +1023,8 @@ static int __sctp_connect(struct sock* sk,
 			goto out_free;
 		}
 
+		port = ntohs(sa_addr->v4.sin_port);
+
 		/* Save current address so we can work with it */
 		memcpy(&to, sa_addr, af->sockaddr_len);