Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (55 commits)
  sctp: fix random memory dereference with SCTP_HMAC_IDENT option.
  sctp: correct bounds check in sctp_setsockopt_auth_key
  wan: Missing capability checks in sbni_ioctl()
  e100, fix iomap read
  qeth: preallocated header account offset
  qeth: l2 write unicast list to hardware
  qeth: use -EOPNOTSUPP instead of -ENOTSUPP.
  ibm_newemac: Don't call dev_mc_add() before device is registered
  net: don't grab a mutex within a timer context in gianfar
  forcedeth: fix checksum flag
  net/usb/mcs7830: add set_mac_address
  net/usb/mcs7830: new device IDs
  [netdrvr] smc91x: fix resource removal (null ptr deref)
  ibmveth: fix bad UDP checksums
  [netdrvr] hso: dev_kfree_skb crash fix
  [netdrvr] hso: icon 322 detection fix
  atl1: disable TSO by default
  atl1e: multistatement if missing braces
  igb: remove 82576 quad adapter
  drivers/net/skfp/ess.c: fix compile warnings
  ...

1 files changed, 5 insertions, 3 deletions

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index afa952e726d..5ffb9dec1c3 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3086,6 +3086,7 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
 				    int optlen)
 {
 	struct sctp_hmacalgo *hmacs;
+	u32 idents;
 	int err;
 
 	if (!sctp_auth_enable)
@@ -3103,8 +3104,9 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
 		goto out;
 	}
 
-	if (hmacs->shmac_num_idents == 0 ||
-	    hmacs->shmac_num_idents > SCTP_AUTH_NUM_HMACS) {
+	idents = hmacs->shmac_num_idents;
+	if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS ||
+	    (idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo))) {
 		err = -EINVAL;
 		goto out;
 	}
@@ -3144,7 +3146,7 @@ static int sctp_setsockopt_auth_key(struct sock *sk,
 		goto out;
 	}
 
-	if (authkey->sca_keylength > optlen) {
+	if (authkey->sca_keylength > optlen - sizeof(struct sctp_authkey)) {
 		ret = -EINVAL;
 		goto out;
 	}