From: Nikolay Kuratov <kniv@yandex-team.ru>
Date: Thu, 19 Dec 2024 16:21:14 +0000 (+0300)
Subject: net/sctp: Prevent autoclose integer overflow in sctp_association_init()
X-Git-Tag: v5.10.233~3
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=081bdb3a31674339313c6d702af922bc29de2c53;p=thirdparty%2Fkernel%2Fstable.git

net/sctp: Prevent autoclose integer overflow in sctp_association_init()

commit 4e86729d1ff329815a6e8a920cb554a1d4cb5b8d upstream.

While by default max_autoclose equals to INT_MAX / HZ, one may set
net.sctp.max_autoclose to UINT_MAX. There is code in
sctp_association_init() that can consequently trigger overflow.

Cc: stable@vger.kernel.org
Fixes: 9f70f46bd4c7 ("sctp: properly latch and use autoclose value from sock to association")
Signed-off-by: Nikolay Kuratov <kniv@yandex-team.ru>
Acked-by: Xin Long <lucien.xin@gmail.com>
Link: https://patch.msgid.link/20241219162114.2863827-1-kniv@yandex-team.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 765eb617776b3..c333a63c3465e 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -134,7 +134,8 @@ static struct sctp_association *sctp_association_init(
 		= 5 * asoc->rto_max;
 
 	asoc->timeouts[SCTP_EVENT_TIMEOUT_SACK] = asoc->sackdelay;
-	asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE] = sp->autoclose * HZ;
+	asoc->timeouts[SCTP_EVENT_TIMEOUT_AUTOCLOSE] =
+		(unsigned long)sp->autoclose * HZ;
 
 	/* Initializes the timers */
 	for (i = SCTP_EVENT_TIMEOUT_NONE; i < SCTP_NUM_TIMEOUT_TYPES; ++i)