3 files changed, 18 insertions, 4 deletions

diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index 86366390038a..ddbbf7c81fa1 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -543,16 +543,20 @@ struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc)
                 id = ntohs(hmacs->hmac_ids[i]);
 
                 /* Check the id is in the supported range */
-                if (id > SCTP_AUTH_HMAC_ID_MAX)
+                if (id > SCTP_AUTH_HMAC_ID_MAX) {
+                        id = 0;
                         continue;
+                }
 
                 /* See is we support the id.  Supported IDs have name and
                  * length fields set, so that we can allocated and use
                  * them.  We can safely just check for name, for without the
                  * name, we can't allocate the TFM.
                  */
-                if (!sctp_hmac_list[id].hmac_name)
+                if (!sctp_hmac_list[id].hmac_name) {
+                        id = 0;
                         continue;
+                }
 
                 break;
         }
diff --git a/net/sctp/output.c b/net/sctp/output.c
index a646681f5acd..bcc4590ccaf2 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -92,7 +92,6 @@ struct sctp_packet *sctp_packet_config(struct sctp_packet *packet,
         SCTP_DEBUG_PRINTK("%s: packet:%p vtag:0x%x\n", __func__,
                           packet, vtag);
 
-        sctp_packet_reset(packet);
         packet->vtag = vtag;
 
         if (ecn_capable && sctp_packet_empty(packet)) {
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index ca44917872d2..fbb70770ad05 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -916,6 +916,11 @@ SCTP_STATIC int sctp_setsockopt_bindx(struct sock* sk,
         /* Walk through the addrs buffer and count the number of addresses. */
         addr_buf = kaddrs;
         while (walk_size < addrs_size) {
+                if (walk_size + sizeof(sa_family_t) > addrs_size) {
+                        kfree(kaddrs);
+                        return -EINVAL;
+                }
+
                 sa_addr = (struct sockaddr *)addr_buf;
                 af = sctp_get_af_specific(sa_addr->sa_family);
 
@@ -1002,9 +1007,13 @@ static int __sctp_connect(struct sock* sk,
         /* Walk through the addrs buffer and count the number of addresses. */
         addr_buf = kaddrs;
         while (walk_size < addrs_size) {
+                if (walk_size + sizeof(sa_family_t) > addrs_size) {
+                        err = -EINVAL;
+                        goto out_free;
+                }
+
                 sa_addr = (union sctp_addr *)addr_buf;
                 af = sctp_get_af_specific(sa_addr->sa.sa_family);
-                port = ntohs(sa_addr->v4.sin_port);
 
                 /* If the address family is not supported or if this address
                  * causes the address buffer to overflow return EINVAL.
@@ -1014,6 +1023,8 @@ static int __sctp_connect(struct sock* sk,
                         goto out_free;
                 }
 
+                port = ntohs(sa_addr->v4.sin_port);
+
                 /* Save current address so we can work with it */
                 memcpy(&to, sa_addr, af->sockaddr_len);