sctp: Make sure N * sizeof(union sctp_addr) does not overflow. (CVE-2008-2826)

As noticed by Gabriel Campana, the kmalloc() length arg
passed in by sctp_getsockopt_local_addrs_old() can overflow
if ->addr_num is large enough.

Therefore, enforce an appropriate limit.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@kernel.org>

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 49f9305710305f90d2f584111f5b31888857c2d9..8e1e20567c0cfa8e6103e9892072e213c51f6f74 100644 (file)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3958,7 +3958,9 @@ static int sctp_getsockopt_local_addrs_old(struct sock *sk, int len,
        if (copy_from_user(&getaddrs, optval, sizeof(struct sctp_getaddrs_old)))
                return -EFAULT;
 
-       if (getaddrs.addr_num <= 0) return -EINVAL;
+       if (getaddrs.addr_num <= 0 ||
+           getaddrs.addr_num >= (INT_MAX / sizeof(union sctp_addr)))
+               return -EINVAL;
        /*
         *  For UDP-style sockets, id specifies the association to query.
         *  If the id field is set to the value '0' then the locally bound