diff options
author | David S. Miller <davem@davemloft.net> | 2010-10-04 11:56:38 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-10-04 11:56:38 -0700 |
commit | 21a180cda012e1f93e362dd4a9b0bfd3d8c92940 (patch) | |
tree | 0e0d10baa3fdcd8ffbc6881076ff1695808dad9d /net/sctp/socket.c | |
parent | c7d4426a98a5f6654cd0b4b33d9dab2e77192c18 (diff) | |
parent | 51e97a12bef19b7e43199fc153cf9bd5f2140362 (diff) |
Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
Conflicts:
net/ipv4/Kconfig
net/ipv4/tcp_timer.c
Diffstat (limited to 'net/sctp/socket.c')
-rw-r--r-- | net/sctp/socket.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c index d4bf2a78cb8a..e34ca9cc1167 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -918,6 +918,11 @@ SCTP_STATIC int sctp_setsockopt_bindx(struct sock* sk, /* Walk through the addrs buffer and count the number of addresses. */ addr_buf = kaddrs; while (walk_size < addrs_size) { + if (walk_size + sizeof(sa_family_t) > addrs_size) { + kfree(kaddrs); + return -EINVAL; + } + sa_addr = (struct sockaddr *)addr_buf; af = sctp_get_af_specific(sa_addr->sa_family); @@ -1004,9 +1009,13 @@ static int __sctp_connect(struct sock* sk, /* Walk through the addrs buffer and count the number of addresses. */ addr_buf = kaddrs; while (walk_size < addrs_size) { + if (walk_size + sizeof(sa_family_t) > addrs_size) { + err = -EINVAL; + goto out_free; + } + sa_addr = (union sctp_addr *)addr_buf; af = sctp_get_af_specific(sa_addr->sa.sa_family); - port = ntohs(sa_addr->v4.sin_port); /* If the address family is not supported or if this address * causes the address buffer to overflow return EINVAL. @@ -1016,6 +1025,8 @@ static int __sctp_connect(struct sock* sk, goto out_free; } + port = ntohs(sa_addr->v4.sin_port); + /* Save current address so we can work with it */ memcpy(&to, sa_addr, af->sockaddr_len); |