4 files changed, 41 insertions, 27 deletions
diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index 86366390038a..ddbbf7c81fa1 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -543,16 +543,20 @@ struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc)
                id = ntohs(hmacs->hmac_ids[i]);
                /* Check the id is in the supported range */
-                if (id > SCTP_AUTH_HMAC_ID_MAX)
+                if (id > SCTP_AUTH_HMAC_ID_MAX) {
+                        id = 0;
                        continue;
+                }
                /* See is we support the id.  Supported IDs have name and
                 * length fields set, so that we can allocated and use
                 * them.  We can safely just check for name, for without the
                 * name, we can't allocate the TFM.
                 */
-                if (!sctp_hmac_list[id].hmac_name)
+                if (!sctp_hmac_list[id].hmac_name) {
+                        id = 0;
                        continue;
+                }
                break;
        }
diff --git a/net/sctp/output.c b/net/sctp/output.c
index a646681f5acd..bcc4590ccaf2 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -92,7 +92,6 @@ struct sctp_packet *sctp_packet_config(struct sctp_packet *packet,
        SCTP_DEBUG_PRINTK("%s: packet:%p vtag:0x%x\n", __func__,
                          packet, vtag);
-        sctp_packet_reset(packet);
        packet->vtag = vtag;
        if (ecn_capable && sctp_packet_empty(packet)) {
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 24b2cd555637..d344dc481ccc 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -1232,6 +1232,18 @@ out:
        return 0;
 }
+static bool list_has_sctp_addr(const struct list_head *list,
+                               union sctp_addr *ipaddr)
+{
+        struct sctp_transport *addr;
+        list_for_each_entry(addr, list, transports) {
+                if (sctp_cmp_addr_exact(ipaddr, &addr->ipaddr))
+                        return true;
+        }
+        return false;
+}
 /* A restart is occurring, check to make sure no new addresses
 * are being added as we may be under a takeover attack.
 */
@@ -1240,10 +1252,10 @@ static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
                                       struct sctp_chunk *init,
                                       sctp_cmd_seq_t *commands)
 {
-        struct sctp_transport *new_addr, *addr;
+        struct sctp_transport *new_addr;
-        int found;
+        int ret = 1;
-        /* Implementor's Guide - Sectin 5.2.2
+        /* Implementor's Guide - Section 5.2.2
         * ...
         * Before responding the endpoint MUST check to see if the
         * unexpected INIT adds new addresses to the association. If new
@@ -1254,31 +1266,19 @@ static int sctp_sf_check_restart_addrs(const struct sctp_association *new_asoc,
        /* Search through all current addresses and make sure
         * we aren't adding any new ones.
         */
-        new_addr = NULL;
-        found = 0;
        list_for_each_entry(new_addr, &new_asoc->peer.transport_addr_list,
-                        transports) {
+                            transports) {
-                found = 0;
+                if (!list_has_sctp_addr(&asoc->peer.transport_addr_list,
-                list_for_each_entry(addr, &asoc->peer.transport_addr_list,
+                                        &new_addr->ipaddr)) {
-                                transports) {
+                        sctp_sf_send_restart_abort(&new_addr->ipaddr, init,
-                        if (sctp_cmp_addr_exact(&new_addr->ipaddr,
+                                                   commands);
-                                                &addr->ipaddr)) {
+                        ret = 0;
-                                found = 1;
-                                break;
-                        }
-                }
-                if (!found)
                        break;
-        }
+                }
-        /* If a new address was added, ABORT the sender. */
-        if (!found && new_addr) {
-                sctp_sf_send_restart_abort(&new_addr->ipaddr, init, commands);
        }
        /* Return success if all addresses were found. */
-        return found;
+        return ret;
 }
 /* Populate the verification/tie tags based on overlapping INIT
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index ca44917872d2..fbb70770ad05 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -916,6 +916,11 @@ SCTP_STATIC int sctp_setsockopt_bindx(struct sock* sk,
        /* Walk through the addrs buffer and count the number of addresses. */
        addr_buf = kaddrs;
        while (walk_size < addrs_size) {
+                if (walk_size + sizeof(sa_family_t) > addrs_size) {
+                        kfree(kaddrs);
+                        return -EINVAL;
+                }
                sa_addr = (struct sockaddr *)addr_buf;
                af = sctp_get_af_specific(sa_addr->sa_family);
@@ -1002,9 +1007,13 @@ static int __sctp_connect(struct sock* sk,
        /* Walk through the addrs buffer and count the number of addresses. */
        addr_buf = kaddrs;
        while (walk_size < addrs_size) {
+                if (walk_size + sizeof(sa_family_t) > addrs_size) {
+                        err = -EINVAL;
+                        goto out_free;
+                }
                sa_addr = (union sctp_addr *)addr_buf;
                af = sctp_get_af_specific(sa_addr->sa.sa_family);
-                port = ntohs(sa_addr->v4.sin_port);
                /* If the address family is not supported or if this address
                 * causes the address buffer to overflow return EINVAL.
@@ -1014,6 +1023,8 @@ static int __sctp_connect(struct sock* sk,
                        goto out_free;
                }
+                port = ntohs(sa_addr->v4.sin_port);
                /* Save current address so we can work with it */
                memcpy(&to, sa_addr, af->sockaddr_len);