commit 328fc47ea0bcc27d9afa69c3ad6e52431cadd76c · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

sctp: correct bounds check in sctp_setsockopt_auth_key

The bonds check to prevent buffer overlflow was not exactly
right. It still allowed overflow of up to 8 bytes which is
sizeof(struct sctp_authkey).

Since optlen is already checked against the size of that struct,
we are guaranteed not to cause interger overflow either.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by Vlad Yasevich and committed by David S. Miller 17 years ago 328fc47e f2455eb1

+1 -1

1 changed file

expand all

unified split

net

sctp

socket.c

+1 -1

net/sctp/socket.c

··· 3144 3144 goto out; 3145 3145 } 3146 3146 3147 - if (authkey->sca_keylength > optlen) { 3147 + if (authkey->sca_keylength > optlen - sizeof(struct sctp_authkey)) { 3148 3148 ret = -EINVAL; 3149 3149 goto out; 3150 3150 }