4.19-stable review patch. If anyone has any objections, please let me know.
------------------ From: Ondrej Mosnacek <[email protected]> commit c138325fb8713472d5a0c3c7258b9131bab40725 upstream. selinux_sctp_bind_connect() must verify if the address buffer has sufficient length before accessing the 'sa_family' field. See __sctp_connect() for a similar check. The length of the whole address ('len') is already checked in the callees. Reported-by: Qian Cai <[email protected]> Fixes: d452930fd3b9 ("selinux: Add SCTP support") Cc: <[email protected]> # 4.17+ Cc: Richard Haines <[email protected]> Signed-off-by: Ondrej Mosnacek <[email protected]> Tested-by: Qian Cai <[email protected]> Signed-off-by: Paul Moore <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> --- security/selinux/hooks.c | 3 +++ 1 file changed, 3 insertions(+) --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -5318,6 +5318,9 @@ static int selinux_sctp_bind_connect(str addr_buf = address; while (walk_size < addrlen) { + if (walk_size + sizeof(sa_family_t) > addrlen) + return -EINVAL; + addr = addr_buf; switch (addr->sa_family) { case AF_UNSPEC:
