Commit ff134d48 authored by Vlad Yasevich's avatar Vlad Yasevich Committed by Greg Kroah-Hartman

sctp: fix random memory dereference with SCTP_HMAC_IDENT option.

[ Upstream commit d9724055 ]

The number of identifiers needs to be checked against the option
length.  Also, the identifier index provided needs to be verified
to make sure that it doesn't exceed the bounds of the array.
Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 53144b41
...@@ -786,6 +786,9 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep, ...@@ -786,6 +786,9 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep,
for (i = 0; i < hmacs->shmac_num_idents; i++) { for (i = 0; i < hmacs->shmac_num_idents; i++) {
id = hmacs->shmac_idents[i]; id = hmacs->shmac_idents[i];
if (id > SCTP_AUTH_HMAC_ID_MAX)
return -EOPNOTSUPP;
if (SCTP_AUTH_HMAC_ID_SHA1 == id) if (SCTP_AUTH_HMAC_ID_SHA1 == id)
has_sha1 = 1; has_sha1 = 1;
......
...@@ -2996,6 +2996,7 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk, ...@@ -2996,6 +2996,7 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
int optlen) int optlen)
{ {
struct sctp_hmacalgo *hmacs; struct sctp_hmacalgo *hmacs;
u32 idents;
int err; int err;
if (!sctp_auth_enable) if (!sctp_auth_enable)
...@@ -3013,8 +3014,9 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk, ...@@ -3013,8 +3014,9 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
goto out; goto out;
} }
if (hmacs->shmac_num_idents == 0 || idents = hmacs->shmac_num_idents;
hmacs->shmac_num_idents > SCTP_AUTH_NUM_HMACS) { if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS ||
(idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo))) {
err = -EINVAL; err = -EINVAL;
goto out; goto out;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment