[patch 15/16] sctp: fix random memory dereference withSCTP_HMAC_IDENT option.
From: Greg KH
Date: Wed Sep 03 2008 - 13:54:54 EST
2.6.25-stable review patch. If anyone has any objections, please let us know.
------------------
From: Vlad Yasevich <vladislav.yasevich@xxxxxx>
[ Upstream commit d97240552cd98c4b07322f30f66fd9c3ba4171de ]
The number of identifiers needs to be checked against the option
length. Also, the identifier index provided needs to be verified
to make sure that it doesn't exceed the bounds of the array.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@xxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
net/sctp/auth.c | 3 +++
net/sctp/socket.c | 6 ++++--
2 files changed, 7 insertions(+), 2 deletions(-)
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -786,6 +786,9 @@ int sctp_auth_ep_set_hmacs(struct sctp_e
for (i = 0; i < hmacs->shmac_num_idents; i++) {
id = hmacs->shmac_idents[i];
+ if (id > SCTP_AUTH_HMAC_ID_MAX)
+ return -EOPNOTSUPP;
+
if (SCTP_AUTH_HMAC_ID_SHA1 == id)
has_sha1 = 1;
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3014,6 +3014,7 @@ static int sctp_setsockopt_hmac_ident(st
int optlen)
{
struct sctp_hmacalgo *hmacs;
+ u32 idents;
int err;
if (!sctp_auth_enable)
@@ -3031,8 +3032,9 @@ static int sctp_setsockopt_hmac_ident(st
goto out;
}
- if (hmacs->shmac_num_idents == 0 ||
- hmacs->shmac_num_idents > SCTP_AUTH_NUM_HMACS) {
+ idents = hmacs->shmac_num_idents;
+ if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS ||
+ (idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo))) {
err = -EINVAL;
goto out;
}
--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/