From: David S. Miller <davem@davemloft.net>
Date: Sat, 21 Jun 2008 05:04:34 +0000 (-0700)
Subject: sctp: Make sure N * sizeof(union sctp_addr) does not overflow.
X-Git-Tag: v2.6.26-rc8~24^2~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=735ce972fbc8a65fb17788debd7bbe7b4383cc62;p=platform%2Fupstream%2Fkernel-adaptation-pc.git

sctp: Make sure N * sizeof(union sctp_addr) does not overflow.

As noticed by Gabriel Campana, the kmalloc() length arg
passed in by sctp_getsockopt_local_addrs_old() can overflow
if ->addr_num is large enough.

Therefore, enforce an appropriate limit.

Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index e7e3baf..0dbcde6 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4401,7 +4401,9 @@ static int sctp_getsockopt_local_addrs_old(struct sock *sk, int len,
 	if (copy_from_user(&getaddrs, optval, len))
 		return -EFAULT;
 
-	if (getaddrs.addr_num <= 0) return -EINVAL;
+	if (getaddrs.addr_num <= 0 ||
+	    getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr)))
+		return -EINVAL;
 	/*
 	 *  For UDP-style sockets, id specifies the association to query.
 	 *  If the id field is set to the value '0' then the locally bound