Skip to content

Commit

Permalink
sctp: Make sure N * sizeof(union sctp_addr) does not overflow.
Browse files Browse the repository at this point in the history 
As noticed by Gabriel Campana, the kmalloc() length arg
passed in by sctp_getsockopt_local_addrs_old() can overflow
if ->addr_num is large enough.

Therefore, enforce an appropriate limit.

Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
David S. Miller committed Jun 21, 2008
1 parent 2645a3c commit 735ce97
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion net/sctp/socket.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4401,7 +4401,9 @@ static int sctp_getsockopt_local_addrs_old(struct sock *sk, int len,
if (copy_from_user(&getaddrs, optval, len))
return -EFAULT;

if (getaddrs.addr_num <= 0) return -EINVAL;
if (getaddrs.addr_num <= 0 ||
getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr)))
return -EINVAL;
/*
* For UDP-style sockets, id specifies the association to query.
* If the id field is set to the value '0' then the locally bound
Expand Down

0 comments on commit 735ce97

Please sign in to comment.