• Xi Wang's avatar
    sctp: better integer overflow check in sctp_auth_create_key() · c89304b8
    Xi Wang authored
    The check from commit 30c2235c is incomplete and cannot prevent
    cases like key_len = 0x80000000 (INT_MAX + 1).  In that case, the
    left-hand side of the check (INT_MAX - key_len), which is unsigned,
    becomes 0xffffffff (UINT_MAX) and bypasses the check.
    
    However this shouldn't be a security issue.  The function is called
    from the following two code paths:
    
     1) setsockopt()
    
     2) sctp_auth_asoc_set_secret()
    
    In case (1), sca_keylength is never going to exceed 65535 since it's
    bounded by a u16 from the user API.  As such, the key length will
    never overflow.
    
    In case (2), sca_keylength is computed based on the user key (1 short)
    and 2 * key_vector (3 shorts) for a total of 7 * USHRT_MAX, which still
    will not overflow.
    
    In other words, this overflow check is not really necessary.  Just
    make it more correct.
    Signed-off-by: Xi Wang's avatarXi Wang <xi.wang@gmail.com>
    Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    c89304b8
auth.c 23.9 KB