aboutsummaryrefslogtreecommitdiffstats
path: root/net/sctp/socket.c
diff options
context:
space:
mode:
authorVlad Yasevich <vladislav.yasevich@hp.com>2008-08-27 19:09:49 -0400
committerDavid S. Miller <davem@davemloft.net>2008-08-27 19:09:49 -0400
commitd97240552cd98c4b07322f30f66fd9c3ba4171de (patch)
tree61a8fd1ace711bcf2c832d0c453d8fbf6f8f3003 /net/sctp/socket.c
parent328fc47ea0bcc27d9afa69c3ad6e52431cadd76c (diff)
sctp: fix random memory dereference with SCTP_HMAC_IDENT option.
The number of identifiers needs to be checked against the option length. Also, the identifier index provided needs to be verified to make sure that it doesn't exceed the bounds of the array. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sctp/socket.c')
-rw-r--r--net/sctp/socket.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 9b9b2c31dd15..5ffb9dec1c3f 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3086,6 +3086,7 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
3086 int optlen) 3086 int optlen)
3087{ 3087{
3088 struct sctp_hmacalgo *hmacs; 3088 struct sctp_hmacalgo *hmacs;
3089 u32 idents;
3089 int err; 3090 int err;
3090 3091
3091 if (!sctp_auth_enable) 3092 if (!sctp_auth_enable)
@@ -3103,8 +3104,9 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
3103 goto out; 3104 goto out;
3104 } 3105 }
3105 3106
3106 if (hmacs->shmac_num_idents == 0 || 3107 idents = hmacs->shmac_num_idents;
3107 hmacs->shmac_num_idents > SCTP_AUTH_NUM_HMACS) { 3108 if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS ||
3109 (idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo))) {
3108 err = -EINVAL; 3110 err = -EINVAL;
3109 goto out; 3111 goto out;
3110 } 3112 }