* + sctp-prevent-reading-out-of-bounds-memory.patch added to -mm tree
@ 2010-09-13 23:42 akpm
0 siblings, 0 replies; only message in thread
From: akpm @ 2010-09-13 23:42 UTC (permalink / raw)
To: mm-commits; +Cc: dan.j.rosenberg, davem, vladislav.yasevich
The patch titled
sctp: prevent reading out-of-bounds memory
has been added to the -mm tree. Its filename is
sctp-prevent-reading-out-of-bounds-memory.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find
out what to do about this
The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/
------------------------------------------------------
Subject: sctp: prevent reading out-of-bounds memory
From: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Two user-controlled allocations in SCTP are subsequently dereferenced as
sockaddr structs, without checking if the dereferenced struct members fall
beyond the end of the allocated chunk. There doesn't appear to be any
information leakage here based on how these members are used and
additional checking, but it's still worth fixing.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---
net/sctp/socket.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff -puN net/sctp/socket.c~sctp-prevent-reading-out-of-bounds-memory net/sctp/socket.c
--- a/net/sctp/socket.c~sctp-prevent-reading-out-of-bounds-memory
+++ a/net/sctp/socket.c
@@ -918,6 +918,12 @@ SCTP_STATIC int sctp_setsockopt_bindx(st
/* Walk through the addrs buffer and count the number of addresses. */
addr_buf = kaddrs;
while (walk_size < addrs_size) {
+
+ if (walk_size + sizeof(sa_family_t) > addrs_size) {
+ kfree(kaddrs);
+ return -EINVAL;
+ }
+
sa_addr = (struct sockaddr *)addr_buf;
af = sctp_get_af_specific(sa_addr->sa_family);
@@ -1004,9 +1010,14 @@ static int __sctp_connect(struct sock* s
/* Walk through the addrs buffer and count the number of addresses. */
addr_buf = kaddrs;
while (walk_size < addrs_size) {
+
+ if (walk_size + sizeof(sa_family_t) > addrs_size) {
+ err = -EINVAL;
+ goto out_free;
+ }
+
sa_addr = (union sctp_addr *)addr_buf;
af = sctp_get_af_specific(sa_addr->sa.sa_family);
- port = ntohs(sa_addr->v4.sin_port);
/* If the address family is not supported or if this address
* causes the address buffer to overflow return EINVAL.
@@ -1016,6 +1027,8 @@ static int __sctp_connect(struct sock* s
goto out_free;
}
+ port = ntohs(sa_addr->v4.sin_port);
+
/* Save current address so we can work with it */
memcpy(&to, sa_addr, af->sockaddr_len);
_
Patches currently in -mm which might be from dan.j.rosenberg@gmail.com are
linux-next.patch
sctp-prevent-reading-out-of-bounds-memory.patch
sctp-prevent-reading-out-of-bounds-memory-cleanup.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2010-09-13 23:42 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-09-13 23:42 + sctp-prevent-reading-out-of-bounds-memory.patch added to -mm tree akpm
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.