From 30c2235cbc477d4629983d440cdc4f496fec9246 Mon Sep 17 00:00:00 2001 From: Vlad Yasevich Date: Mon, 25 Aug 2008 15:16:19 -0700 Subject: sctp: add verification checks to SCTP_AUTH_KEY option The structure used for SCTP_AUTH_KEY option contains a length that needs to be verfied to prevent buffer overflow conditions. Spoted by Eugene Teo . Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller --- net/sctp/auth.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'net/sctp/auth.c') diff --git a/net/sctp/auth.c b/net/sctp/auth.c index 675a5c3e68a..1fcb4cf2f4c 100644 --- a/net/sctp/auth.c +++ b/net/sctp/auth.c @@ -80,6 +80,10 @@ static struct sctp_auth_bytes *sctp_auth_create_key(__u32 key_len, gfp_t gfp) { struct sctp_auth_bytes *key; + /* Verify that we are not going to overflow INT_MAX */ + if ((INT_MAX - key_len) < sizeof(struct sctp_auth_bytes)) + return NULL; + /* Allocate the shared key */ key = kmalloc(sizeof(struct sctp_auth_bytes) + key_len, gfp); if (!key) -- cgit v1.2.3 From d97240552cd98c4b07322f30f66fd9c3ba4171de Mon Sep 17 00:00:00 2001 From: Vlad Yasevich Date: Wed, 27 Aug 2008 16:09:49 -0700 Subject: sctp: fix random memory dereference with SCTP_HMAC_IDENT option. The number of identifiers needs to be checked against the option length. Also, the identifier index provided needs to be verified to make sure that it doesn't exceed the bounds of the array. Signed-off-by: Vlad Yasevich Signed-off-by: David S. Miller --- net/sctp/auth.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'net/sctp/auth.c') diff --git a/net/sctp/auth.c b/net/sctp/auth.c index 1fcb4cf2f4c..52db5f60daa 100644 --- a/net/sctp/auth.c +++ b/net/sctp/auth.c @@ -786,6 +786,9 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep, for (i = 0; i < hmacs->shmac_num_idents; i++) { id = hmacs->shmac_idents[i]; + if (id > SCTP_AUTH_HMAC_ID_MAX) + return -EOPNOTSUPP; + if (SCTP_AUTH_HMAC_ID_SHA1 == id) has_sha1 = 1; -- cgit v1.2.3