sctp: Make sure N * sizeof(union sctp_addr) does not overflow. (CVE-2008-2826)

As noticed by Gabriel Campana, the kmalloc() length arg passed in by sctp_getsockopt_local_addrs_old() can overflow if ->addr_num is large enough. Therefore, enforce an appropriate limit. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@kernel.org>
author: David S. Miller <davem@davemloft.net> 2008-07-19 23:30:57 +0300
committer: Adrian Bunk <bunk@kernel.org> 2008-07-19 23:31:06 +0300
commit: 423044bed36af8792ea9e861a2fa33ed52a8fcbd (patch)
tree: 75881c793a109909bb1150c9efe5fe0620c30908
parent: a203d3ccd131487b38094c3f5f4fb4f2fed593d7 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 49f930571030..8e1e20567c0c 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3958,7 +3958,9 @@ static int sctp_getsockopt_local_addrs_old(struct sock *sk, int len,
 	if (copy_from_user(&getaddrs, optval, sizeof(struct sctp_getaddrs_old)))
 		return -EFAULT;
 
-	if (getaddrs.addr_num <= 0) return -EINVAL;
+	if (getaddrs.addr_num <= 0 ||
+	    getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr)))
+		return -EINVAL;
 	/*
 	 *  For UDP-style sockets, id specifies the association to query.
 	 *  If the id field is set to the value '0' then the locally bound
author	David S. Miller <davem@davemloft.net>	2008-07-19 23:30:57 +0300
committer	Adrian Bunk <bunk@kernel.org>	2008-07-19 23:31:06 +0300
commit	423044bed36af8792ea9e861a2fa33ed52a8fcbd (patch)
tree	75881c793a109909bb1150c9efe5fe0620c30908
parent	a203d3ccd131487b38094c3f5f4fb4f2fed593d7 (diff)