From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Tue, 13 Nov 2018 15:16:08 +0000 (+0100)
Subject: selinux: check length properly in SCTP bind hook
X-Git-Tag: v4.18.20~38
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5fe5a24a8cc8aad54ea6fce78929c61cebfbd707;p=thirdparty%2Fkernel%2Fstable.git

selinux: check length properly in SCTP bind hook

commit c138325fb8713472d5a0c3c7258b9131bab40725 upstream.

selinux_sctp_bind_connect() must verify if the address buffer has
sufficient length before accessing the 'sa_family' field. See
__sctp_connect() for a similar check.

The length of the whole address ('len') is already checked in the
callees.

Reported-by: Qian Cai <cai@gmx.us>
Fixes: d452930fd3b9 ("selinux: Add SCTP support")
Cc: <stable@vger.kernel.org> # 4.17+
Cc: Richard Haines <richard_c_haines@btinternet.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Tested-by: Qian Cai <cai@gmx.us>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 4680a217d0faf..46ec7be75d4bf 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5306,6 +5306,9 @@ static int selinux_sctp_bind_connect(struct sock *sk, int optname,
 	addr_buf = address;
 
 	while (walk_size < addrlen) {
+		if (walk_size + sizeof(sa_family_t) > addrlen)
+			return -EINVAL;
+
 		addr = addr_buf;
 		switch (addr->sa_family) {
 		case AF_UNSPEC: