diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2010-10-09 12:06:26 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2010-10-09 12:06:26 -0700 |
| commit | 85a331881dd52a93e7d4c57bcaf5486cc8718465 (patch) | |
| tree | 5a09ba7bac0bcc6a54c22e2f45fb7851c3c3f758 /net/sctp/socket.c | |
| parent | 63847e66b28ed5e0dc28409d767e8f3891502ac4 (diff) | |
| parent | ae6df5f96a51818d6376da5307d773baeece4014 (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (27 commits)
net: clear heap allocation for ETHTOOL_GRXCLSRLALL
isdn: strcpy() => strlcpy()
Revert "mac80211: use netif_receive_skb in ieee80211_tx_status callpath"
mac80211: delete AddBA response timer
ath9k_hw: fix regression in ANI listen time calculation
caif: fix two caif_connect() bugs
bonding: fix WARN_ON when writing to bond_master sysfs file
skge: add quirk to limit DMA
MAINTAINERS: update Intel LAN Ethernet info
e1000e.txt: Add e1000e documentation
e1000.txt: Update e1000 documentation
ixgbevf.txt: Update ixgbevf documentation
cls_u32: signedness bug
Bluetooth: Disallow to change L2CAP_OPTIONS values when connected
sctp: Fix out-of-bounds reading in sctp_asoc_get_hmac()
sctp: prevent reading out-of-bounds memory
ipv4: correct IGMP behavior on v3 query during v2-compatibility mode
netdev: Depend on INET before selecting INET_LRO
Revert "ipv4: Make INET_LRO a bool instead of tristate."
net: Fix the condition passed to sk_wait_event()
...
Diffstat (limited to 'net/sctp/socket.c')
| -rw-r--r-- | net/sctp/socket.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c index ca44917872d2..fbb70770ad05 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -916,6 +916,11 @@ SCTP_STATIC int sctp_setsockopt_bindx(struct sock* sk, /* Walk through the addrs buffer and count the number of addresses. */ addr_buf = kaddrs; while (walk_size < addrs_size) { + if (walk_size + sizeof(sa_family_t) > addrs_size) { + kfree(kaddrs); + return -EINVAL; + } + sa_addr = (struct sockaddr *)addr_buf; af = sctp_get_af_specific(sa_addr->sa_family); @@ -1002,9 +1007,13 @@ static int __sctp_connect(struct sock* sk, /* Walk through the addrs buffer and count the number of addresses. */ addr_buf = kaddrs; while (walk_size < addrs_size) { + if (walk_size + sizeof(sa_family_t) > addrs_size) { + err = -EINVAL; + goto out_free; + } + sa_addr = (union sctp_addr *)addr_buf; af = sctp_get_af_specific(sa_addr->sa.sa_family); - port = ntohs(sa_addr->v4.sin_port); /* If the address family is not supported or if this address * causes the address buffer to overflow return EINVAL. @@ -1014,6 +1023,8 @@ static int __sctp_connect(struct sock* sk, goto out_free; } + port = ntohs(sa_addr->v4.sin_port); + /* Save current address so we can work with it */ memcpy(&to, sa_addr, af->sockaddr_len); |