Attachment 315341 Details for Bug 460093 – Proposed backported patch for MRG kernel

[patch] Proposed backported patch for MRG kernel

bz#460094.patch (text/plain), 1.16 KB, created by Eugene Teo (Security Response) on 2008-08-29 07:42:04 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Eugene Teo (Security Response)

Created: 2008-08-29 07:42:04 UTC

Size: 1.16 KB

patch

obsolete

>diff -uprN linux-2.6.24.7.noarch.default/net/sctp/auth.c linux-2.6.24.7.noarch/net/sctp/auth.c
>--- linux-2.6.24.7.noarch.default/net/sctp/auth.c	2008-08-27 22:19:59.051938000 -0400
>+++ linux-2.6.24.7.noarch/net/sctp/auth.c	2008-08-29 03:33:02.424064000 -0400
>@@ -80,6 +80,10 @@ static struct sctp_auth_bytes *sctp_auth
> {
> 	struct sctp_auth_bytes *key;
> 
>+	/* Verify that we are not going to overflow INT_MAX */
>+	if ((INT_MAX - key_len) < sizeof(struct sctp_auth_bytes))
>+		return NULL;
>+
> 	/* Allocate the shared key */
> 	key = kmalloc(sizeof(struct sctp_auth_bytes) + key_len, gfp);
> 	if (!key)
>diff -uprN linux-2.6.24.7.noarch.default/net/sctp/socket.c linux-2.6.24.7.noarch/net/sctp/socket.c
>--- linux-2.6.24.7.noarch.default/net/sctp/socket.c	2008-08-29 03:18:29.876875000 -0400
>+++ linux-2.6.24.7.noarch/net/sctp/socket.c	2008-08-29 03:35:27.444888000 -0400
>@@ -3039,6 +3039,11 @@ static int sctp_setsockopt_auth_key(stru
> 		goto out;
> 	}
> 
>+	if (authkey->sca_keylength > optlen - sizeof(struct sctp_authkey)) {
>+		ret = -EINVAL;
>+		goto out;
>+	}
>+
> 	asoc = sctp_id2assoc(sk, authkey->sca_assoc_id);
> 	if (!asoc && authkey->sca_assoc_id && sctp_style(sk, UDP)) {
> 		ret = -EINVAL;

Actions: View | Diff

Attachments on bug 460093: 315008 | 315341