Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 735ce972 authored by David S. Miller's avatar David S. Miller
Browse files

sctp: Make sure N * sizeof(union sctp_addr) does not overflow. 



As noticed by Gabriel Campana, the kmalloc() length arg
passed in by sctp_getsockopt_local_addrs_old() can overflow
if ->addr_num is large enough.

Therefore, enforce an appropriate limit.

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 2645a3c3

net/sctp/socket.c

+3 −1
Original line number Original line Diff line number Diff line
@@ -4401,7 +4401,9 @@ static int sctp_getsockopt_local_addrs_old(struct sock *sk, int len, 
	if (copy_from_user(&getaddrs, optval, len))

	if (copy_from_user(&getaddrs, optval, len))

		return -EFAULT;

		return -EFAULT;





	if (getaddrs.addr_num <= 0) return -EINVAL;

	if (getaddrs.addr_num <= 0 ||

	    getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr)))

		return -EINVAL;

	/*

	/*

	 *  For UDP-style sockets, id specifies the association to query.

	 *  For UDP-style sockets, id specifies the association to query.

	 *  If the id field is set to the value '0' then the locally bound

	 *  If the id field is set to the value '0' then the locally bound