From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, "David S. Miller" <davem@davemloft.net>
Subject: [patch 3/5] sctp: Make sure N * sizeof(union sctp_addr) does not overflow.
Date: Sun, 22 Jun 2008 12:01:36 -0700 [thread overview]
Message-ID: <20080622190136.GC20141@suse.de> (raw)
In-Reply-To: <20080622190111.GA20141@suse.de>
[-- Attachment #1: sctp-make-sure-n-sizeof-does-not-overflow.patch --]
[-- Type: text/plain, Size: 1067 bytes --]
2.6.25-stable review patch. If anyone has any objections, please let us
know.
------------------
From: David S. Miller <davem@davemloft.net>
commit 735ce972fbc8a65fb17788debd7bbe7b4383cc62 upstream
As noticed by Gabriel Campana, the kmalloc() length arg
passed in by sctp_getsockopt_local_addrs_old() can overflow
if ->addr_num is large enough.
Therefore, enforce an appropriate limit.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/sctp/socket.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4421,7 +4421,9 @@ static int sctp_getsockopt_local_addrs_o
if (copy_from_user(&getaddrs, optval, len))
return -EFAULT;
- if (getaddrs.addr_num <= 0) return -EINVAL;
+ if (getaddrs.addr_num <= 0 ||
+ getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr)))
+ return -EINVAL;
/*
* For UDP-style sockets, id specifies the association to query.
* If the id field is set to the value '0' then the locally bound
--
next prev parent reply other threads:[~2008-06-22 19:05 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080622185327.348377223@mini.kroah.org>
2008-06-22 19:01 ` [patch 0/5] 2.6.25-stable review Greg KH
2008-06-22 19:01 ` [patch 4/5] x86: use BOOTMEM_EXCLUSIVE on 32-bit Greg KH
2008-06-22 20:22 ` Johannes Weiner
2008-06-22 20:30 ` Greg KH
2008-06-22 20:36 ` Adrian Bunk
2008-06-22 20:36 ` Linus Torvalds
2008-06-23 8:09 ` Ingo Molnar
2008-06-23 10:33 ` Bernhard Walle
2008-06-23 10:53 ` Ingo Molnar
2008-06-23 13:21 ` Bernhard Walle
2008-06-23 19:20 ` [stable] " Greg KH
2008-06-23 19:36 ` Ingo Molnar
2008-06-22 19:01 ` Greg KH [this message]
2008-06-22 19:23 ` [patch 3/5] sctp: Make sure N * sizeof(union sctp_addr) does not overflow David Miller
2008-06-22 20:28 ` Greg KH
2008-06-23 21:36 ` David Miller
2008-06-23 21:43 ` Greg KH
2008-06-22 19:01 ` [patch 2/5] Reinstate ZERO_PAGE optimization in get_user_pages() and fix XIP Greg KH
2008-06-22 19:22 ` Linus Torvalds
2008-06-22 20:29 ` Greg KH
2008-06-23 15:32 ` Jeff Chua
2008-06-23 16:04 ` Hugh Dickins
2008-06-23 16:39 ` Linus Torvalds
2008-06-23 17:05 ` Jeff Chua
2008-06-23 17:27 ` Linus Torvalds
2008-06-23 18:15 ` Jeff Chua
2008-06-23 18:32 ` Linus Torvalds
2008-06-22 19:01 ` [patch 1/5] atl1: relax eeprom mac address error check Greg KH
2008-06-22 19:01 ` [patch 5/5] x86: set PAE PHYSICAL_MASK_SHIFT to 44 bits gregkh
2008-06-23 11:19 ` [patch 0/5] 2.6.25-stable review S.Çağlar Onur
2008-06-23 19:30 ` [stable] " Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080622190136.GC20141@suse.de \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.