From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, "David S. Miller" <davem@davemloft.net>
Subject: [patch 03/10] sctp: Make sure N * sizeof(union sctp_addr) does not overflow.
Date: Mon, 23 Jun 2008 16:05:28 -0700 [thread overview]
Message-ID: <20080623230528.GJ29853@suse.de> (raw)
In-Reply-To: <20080623230417.GA29853@suse.de>
[-- Attachment #1: sctp-make-sure-n-sizeof-does-not-overflow.patch --]
[-- Type: text/plain, Size: 1070 bytes --]
2.6.25.9-stable review patch. If anyone has any objections, please let
us know.
------------------
From: David S. Miller <davem@davemloft.net>
commit 735ce972fbc8a65fb17788debd7bbe7b4383cc62 upstream
As noticed by Gabriel Campana, the kmalloc() length arg
passed in by sctp_getsockopt_local_addrs_old() can overflow
if ->addr_num is large enough.
Therefore, enforce an appropriate limit.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/sctp/socket.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4421,7 +4421,9 @@ static int sctp_getsockopt_local_addrs_o
if (copy_from_user(&getaddrs, optval, len))
return -EFAULT;
- if (getaddrs.addr_num <= 0) return -EINVAL;
+ if (getaddrs.addr_num <= 0 ||
+ getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr)))
+ return -EINVAL;
/*
* For UDP-style sockets, id specifies the association to query.
* If the id field is set to the value '0' then the locally bound
--
next prev parent reply other threads:[~2008-06-23 23:10 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080623225737.837265824@mini.kroah.org>
2008-06-23 23:04 ` [patch 00/10] 2.6.28.9-rc2 review Greg KH
2008-06-23 23:04 ` [patch 08/10] hwmon: (lm85) Fix function RANGE_TO_REG() Greg KH
2008-06-23 23:04 ` [patch 09/10] hwmon: (adt7473) Initialize max_duty_at_overheat before use Greg KH
2008-06-23 23:04 ` [patch 10/10] Fix ZERO_PAGE breakage with vmware Greg KH
2008-06-23 23:28 ` Linus Torvalds
2008-06-24 6:04 ` Greg KH
2008-06-23 23:04 ` [patch 05/10] x86: set PAE PHYSICAL_MASK_SHIFT to 44 bits Greg KH
2008-06-23 23:04 ` [patch 06/10] Add return value to reserve_bootmem_node() Greg KH
2008-06-24 11:06 ` Adrian Bunk
2008-06-24 21:07 ` Greg KH
2008-06-23 23:05 ` [patch 07/10] watchdog: hpwdt: fix use of inline assembly Greg KH
2008-06-23 23:05 ` [patch 01/10] atl1: relax eeprom mac address error check Greg KH
2008-06-23 23:05 ` [patch 02/10] Reinstate ZERO_PAGE optimization in get_user_pages() and fix XIP Greg KH
2008-06-23 23:05 ` Greg KH [this message]
2008-06-23 23:05 ` [patch 04/10] x86: use BOOTMEM_EXCLUSIVE on 32-bit Greg KH
2008-06-23 23:22 ` [patch 00/10] 2.6.28.9-rc2 review Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080623230528.GJ29853@suse.de \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.