sctp: fix random memory dereference with SCTP_HMAC_IDENT option. The number of identifiers needs to be checked against the option length. Also, the identifier index provided needs to be verified to make sure that it doesn't exceed the bounds of the array. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: d97240552cd98c4b07322f30f66fd9c3ba4171de [log] [tgz]
author: Vlad Yasevich <vladislav.yasevich@hp.com> Wed Aug 27 16:09:49 2008 -0700
committer: David S. Miller <davem@davemloft.net> Wed Aug 27 16:09:49 2008 -0700
tree: 61a8fd1ace711bcf2c832d0c453d8fbf6f8f3003
parent: 328fc47ea0bcc27d9afa69c3ad6e52431cadd76c [diff] [blame]
diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index 1fcb4cf..52db5f6 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c

@@ -786,6 +786,9 @@
 	for (i = 0; i < hmacs->shmac_num_idents; i++) {
 		id = hmacs->shmac_idents[i];
 
+		if (id > SCTP_AUTH_HMAC_ID_MAX)
+			return -EOPNOTSUPP;
+
 		if (SCTP_AUTH_HMAC_ID_SHA1 == id)
 			has_sha1 = 1;
commit	d97240552cd98c4b07322f30f66fd9c3ba4171de	[log] [tgz]
author	Vlad Yasevich <vladislav.yasevich@hp.com>	Wed Aug 27 16:09:49 2008 -0700
committer	David S. Miller <davem@davemloft.net>	Wed Aug 27 16:09:49 2008 -0700
tree	61a8fd1ace711bcf2c832d0c453d8fbf6f8f3003
parent	328fc47ea0bcc27d9afa69c3ad6e52431cadd76c [diff] [blame]