summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorVlad Yasevich <vladislav.yasevich@hp.com>2008-09-03 01:02:37 -0700
committerGreg Kroah-Hartman <gregkh@suse.de>2008-09-08 03:20:21 -0700
commit6d204e4fe042aafb1e443b08de56b4fa5cf012ca (patch)
tree6e376f58260ffb45f296ff5864c1f38797fc6951 /net
parent113de4111795af1245a84368c233f25699999908 (diff)
sctp: fix random memory dereference with SCTP_HMAC_IDENT option.
[ Upstream commit d97240552cd98c4b07322f30f66fd9c3ba4171de ] The number of identifiers needs to be checked against the option length. Also, the identifier index provided needs to be verified to make sure that it doesn't exceed the bounds of the array. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'net')
-rw-r--r--net/sctp/auth.c3
-rw-r--r--net/sctp/socket.c6
2 files changed, 7 insertions, 2 deletions
diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index 1fcb4cf2f4c9..52db5f60daa0 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -786,6 +786,9 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep,
for (i = 0; i < hmacs->shmac_num_idents; i++) {
id = hmacs->shmac_idents[i];
+ if (id > SCTP_AUTH_HMAC_ID_MAX)
+ return -EOPNOTSUPP;
+
if (SCTP_AUTH_HMAC_ID_SHA1 == id)
has_sha1 = 1;
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 05185c772d25..f8c66d63612b 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3014,6 +3014,7 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
int optlen)
{
struct sctp_hmacalgo *hmacs;
+ u32 idents;
int err;
if (!sctp_auth_enable)
@@ -3031,8 +3032,9 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
goto out;
}
- if (hmacs->shmac_num_idents == 0 ||
- hmacs->shmac_num_idents > SCTP_AUTH_NUM_HMACS) {
+ idents = hmacs->shmac_num_idents;
+ if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS ||
+ (idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo))) {
err = -EINVAL;
goto out;
}