sctp: fix random memory dereference with SCTP_HMAC_IDENT option.

[ Upstream commit d97240552cd98c4b07322f30f66fd9c3ba4171de ]

The number of identifiers needs to be checked against the option
length.  Also, the identifier index provided needs to be verified
to make sure that it doesn't exceed the bounds of the array.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index 1fcb4cf2f4c9bb67a3433bd6182fcaf7b1dd4884..52db5f60daa03ef6f23f9c647129b7dda39e97a8 100644 (file)
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -786,6 +786,9 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep,
        for (i = 0; i < hmacs->shmac_num_idents; i++) {
                id = hmacs->shmac_idents[i];
 
+               if (id > SCTP_AUTH_HMAC_ID_MAX)
+                       return -EOPNOTSUPP;
+
                if (SCTP_AUTH_HMAC_ID_SHA1 == id)
                        has_sha1 = 1;
 

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 68681fee61a6cafcb6046659d2106b4ee6656be3..700d27d447ba8a7fa4935c3d06ec82f5be8ee4d1 100644 (file)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -2996,6 +2996,7 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
                                    int optlen)
 {
        struct sctp_hmacalgo *hmacs;
+       u32 idents;
        int err;
 
        if (!sctp_auth_enable)
@@ -3013,8 +3014,9 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
                goto out;
        }
 
-       if (hmacs->shmac_num_idents == 0 ||
-           hmacs->shmac_num_idents > SCTP_AUTH_NUM_HMACS) {
+       idents = hmacs->shmac_num_idents;
+       if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS ||
+           (idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo))) {
                err = -EINVAL;
                goto out;
        }