sctp: Make sure N * sizeof(union sctp_addr) does not overflow (CVE-2008-2826)

[backport of 2.6 commit 735ce972fbc8a65fb17788debd7bbe7b4383cc62] As noticed by Gabriel Campana, the kmalloc() length arg passed in by sctp_getsockopt_local_addrs_old() can overflow if ->addr_num is large enough. Therefore, enforce an appropriate limit. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Willy Tarreau <w@1wt.eu>
author: David S. Miller <davem@davemloft.net> 2008-06-20 22:04:34 -0700
committer: Willy Tarreau <w@1wt.eu> 2008-09-06 16:30:13 +0200
commit: 4f91bd1cf06fd857b9cdba9004fe467b92f1b418 (patch)
tree: a808add059013ce1b44508fd2d87f6c33216078a
parent: ac5d8f8f46918e950a42c347a8695c2a16aedec4 (diff)
download: linux-2.4-4f91bd1cf06fd857b9cdba9004fe467b92f1b418.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 05afb7b342fdd7..37fb63b833f9fd 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3175,7 +3175,9 @@ static int sctp_getsockopt_local_addrs(struct sock *sk, int len,
 	if (copy_from_user(&getaddrs, optval, sizeof(struct sctp_getaddrs)))
 		return -EFAULT;
 
-	if (getaddrs.addr_num <= 0) return -EINVAL;
+	if (getaddrs.addr_num <= 0 ||
+	    getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr)))
+		return -EINVAL;
 	/*
 	 *  For UDP-style sockets, id specifies the association to query.
 	 *  If the id field is set to the value '0' then the locally bound
author	David S. Miller <davem@davemloft.net>	2008-06-20 22:04:34 -0700
committer	Willy Tarreau <w@1wt.eu>	2008-09-06 16:30:13 +0200
commit	4f91bd1cf06fd857b9cdba9004fe467b92f1b418 (patch)
tree	a808add059013ce1b44508fd2d87f6c33216078a
parent	ac5d8f8f46918e950a42c347a8695c2a16aedec4 (diff)
download	linux-2.4-4f91bd1cf06fd857b9cdba9004fe467b92f1b418.tar.gz