diff options
Diffstat (limited to 'net/sctp')
-rw-r--r-- | net/sctp/auth.c | 8 | ||||
-rw-r--r-- | net/sctp/socket.c | 13 |
2 files changed, 18 insertions, 3 deletions
diff --git a/net/sctp/auth.c b/net/sctp/auth.c index 86366390038a..ddbbf7c81fa1 100644 --- a/net/sctp/auth.c +++ b/net/sctp/auth.c | |||
@@ -543,16 +543,20 @@ struct sctp_hmac *sctp_auth_asoc_get_hmac(const struct sctp_association *asoc) | |||
543 | id = ntohs(hmacs->hmac_ids[i]); | 543 | id = ntohs(hmacs->hmac_ids[i]); |
544 | 544 | ||
545 | /* Check the id is in the supported range */ | 545 | /* Check the id is in the supported range */ |
546 | if (id > SCTP_AUTH_HMAC_ID_MAX) | 546 | if (id > SCTP_AUTH_HMAC_ID_MAX) { |
547 | id = 0; | ||
547 | continue; | 548 | continue; |
549 | } | ||
548 | 550 | ||
549 | /* See is we support the id. Supported IDs have name and | 551 | /* See is we support the id. Supported IDs have name and |
550 | * length fields set, so that we can allocated and use | 552 | * length fields set, so that we can allocated and use |
551 | * them. We can safely just check for name, for without the | 553 | * them. We can safely just check for name, for without the |
552 | * name, we can't allocate the TFM. | 554 | * name, we can't allocate the TFM. |
553 | */ | 555 | */ |
554 | if (!sctp_hmac_list[id].hmac_name) | 556 | if (!sctp_hmac_list[id].hmac_name) { |
557 | id = 0; | ||
555 | continue; | 558 | continue; |
559 | } | ||
556 | 560 | ||
557 | break; | 561 | break; |
558 | } | 562 | } |
diff --git a/net/sctp/socket.c b/net/sctp/socket.c index d4bf2a78cb8a..e34ca9cc1167 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c | |||
@@ -918,6 +918,11 @@ SCTP_STATIC int sctp_setsockopt_bindx(struct sock* sk, | |||
918 | /* Walk through the addrs buffer and count the number of addresses. */ | 918 | /* Walk through the addrs buffer and count the number of addresses. */ |
919 | addr_buf = kaddrs; | 919 | addr_buf = kaddrs; |
920 | while (walk_size < addrs_size) { | 920 | while (walk_size < addrs_size) { |
921 | if (walk_size + sizeof(sa_family_t) > addrs_size) { | ||
922 | kfree(kaddrs); | ||
923 | return -EINVAL; | ||
924 | } | ||
925 | |||
921 | sa_addr = (struct sockaddr *)addr_buf; | 926 | sa_addr = (struct sockaddr *)addr_buf; |
922 | af = sctp_get_af_specific(sa_addr->sa_family); | 927 | af = sctp_get_af_specific(sa_addr->sa_family); |
923 | 928 | ||
@@ -1004,9 +1009,13 @@ static int __sctp_connect(struct sock* sk, | |||
1004 | /* Walk through the addrs buffer and count the number of addresses. */ | 1009 | /* Walk through the addrs buffer and count the number of addresses. */ |
1005 | addr_buf = kaddrs; | 1010 | addr_buf = kaddrs; |
1006 | while (walk_size < addrs_size) { | 1011 | while (walk_size < addrs_size) { |
1012 | if (walk_size + sizeof(sa_family_t) > addrs_size) { | ||
1013 | err = -EINVAL; | ||
1014 | goto out_free; | ||
1015 | } | ||
1016 | |||
1007 | sa_addr = (union sctp_addr *)addr_buf; | 1017 | sa_addr = (union sctp_addr *)addr_buf; |
1008 | af = sctp_get_af_specific(sa_addr->sa.sa_family); | 1018 | af = sctp_get_af_specific(sa_addr->sa.sa_family); |
1009 | port = ntohs(sa_addr->v4.sin_port); | ||
1010 | 1019 | ||
1011 | /* If the address family is not supported or if this address | 1020 | /* If the address family is not supported or if this address |
1012 | * causes the address buffer to overflow return EINVAL. | 1021 | * causes the address buffer to overflow return EINVAL. |
@@ -1016,6 +1025,8 @@ static int __sctp_connect(struct sock* sk, | |||
1016 | goto out_free; | 1025 | goto out_free; |
1017 | } | 1026 | } |
1018 | 1027 | ||
1028 | port = ntohs(sa_addr->v4.sin_port); | ||
1029 | |||
1019 | /* Save current address so we can work with it */ | 1030 | /* Save current address so we can work with it */ |
1020 | memcpy(&to, sa_addr, af->sockaddr_len); | 1031 | memcpy(&to, sa_addr, af->sockaddr_len); |
1021 | 1032 | ||