From: David S. Miller <davem@redhat.com> Date: Sat, 21 Jun 2008 01:15:34 -0400 Subject: [net] sctp: make sure sctp_addr does not overflow Message-id: 20080621.011534.39478761.davem@redhat.com O-Subject: [PATCH]: SCTP local root hole... Bugzilla: 452483 RH-Acked-by: Alexander Viro <aviro@redhat.com> RH-Acked-by: Neil Horman <nhorman@redhat.com> RH-Acked-by: James Morris <jmorris@redhat.com> It's not remotely exploitable but any local user can probably use this to gain root or other arbitrary privileges as it allows writing over kernel memory. I just checked this into the net-2.6 tree and it will thus be upstream in Linus's tree in the next day or two. It will hopefully got to -stable immediately afterwards. -------------------- sctp: Make sure N * sizeof(union sctp_addr) does not overflow. As noticed by Gabriel Campana, the kmalloc() length arg passed in by sctp_getsockopt_local_addrs_old() can overflow if ->addr_num is large enough. Therefore, enforce an appropriate limit. Signed-off-by: David S. Miller <davem@davemloft.net> diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 9adc06f..cdddff5 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -4024,7 +4024,9 @@ static int sctp_getsockopt_local_addrs_old(struct sock *sk, int len, if (copy_from_user(&getaddrs, optval, sizeof(struct sctp_getaddrs_old))) return -EFAULT; - if (getaddrs.addr_num <= 0) return -EINVAL; + if (getaddrs.addr_num <= 0 || + getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr))) + return -EINVAL; /* * For UDP-style sockets, id specifies the association to query. * If the id field is set to the value '0' then the locally bound