sctp: fix random memory dereference with SCTP_HMAC_IDENT option.

The number of identifiers needs to be checked against the option
length.  Also, the identifier index provided needs to be verified
to make sure that it doesn't exceed the bounds of the array.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index 1fcb4cf2f4c9bb67a3433bd6182fcaf7b1dd4884..52db5f60daa03ef6f23f9c647129b7dda39e97a8 100644 (file)
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -786,6 +786,9 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep,
        for (i = 0; i < hmacs->shmac_num_idents; i++) {
                id = hmacs->shmac_idents[i];
 
+               if (id > SCTP_AUTH_HMAC_ID_MAX)
+                       return -EOPNOTSUPP;
+
                if (SCTP_AUTH_HMAC_ID_SHA1 == id)
                        has_sha1 = 1;
 

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 9b9b2c31dd15c780eac5d80e5fcae45572b781bf..5ffb9dec1c3f17526a5c4474e086a2cd04c2a588 100644 (file)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3086,6 +3086,7 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
                                    int optlen)
 {
        struct sctp_hmacalgo *hmacs;
+       u32 idents;
        int err;
 
        if (!sctp_auth_enable)
@@ -3103,8 +3104,9 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
                goto out;
        }
 
-       if (hmacs->shmac_num_idents == 0 ||
-           hmacs->shmac_num_idents > SCTP_AUTH_NUM_HMACS) {
+       idents = hmacs->shmac_num_idents;
+       if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS ||
+           (idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo))) {
                err = -EINVAL;
                goto out;
        }