Commit 3f6c0a8a authored Jun 28, 2021 by Marcelo Ricardo Leitner Committed by PavanKumar S.R Feb 28, 2022

sctp: add param size validation for SCTP_PARAM_SET_PRIMARY



commit ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9 upstream.

When SCTP handles an INIT chunk, it calls for example:
sctp_sf_do_5_1B_init
  sctp_verify_init
    sctp_verify_param
  sctp_process_init
    sctp_process_param
      handling of SCTP_PARAM_SET_PRIMARY

sctp_verify_init() wasn't doing proper size validation and neither the
later handling, allowing it to work over the chunk itself, possibly being
uninitialized memory.

Change-Id: I024a989502d9cd33af3f34ef5fb89c5a8a3c7948
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 71809401
Git-repo: https://android.googlesource.com/kernel/common


Signed-off-by: PavanKumar S.R <quic_pavasr@quicinc.com>

parent 91ef6066

net/sctp/sm_make_chunk.c

+10 −3

Original line number	Diff line number	Diff line
		@@ -2172,10 +2172,17 @@ static enum sctp_ierror sctp_verify_param(struct net *net,
		break;

		case SCTP_PARAM_SET_PRIMARY:
		if (net->sctp.addip_enable)
		break;
		if (!net->sctp.addip_enable)
		goto fallthrough;

		if (ntohs(param.p->length) < sizeof(struct sctp_addip_param) +
		sizeof(struct sctp_paramhdr)) {
		sctp_process_inv_paramlength(asoc, param.p,
		chunk, err_chunk);
		retval = SCTP_IERROR_ABORT;
		}
		break;

		case SCTP_PARAM_HOST_NAME_ADDRESS:
		/* Tell the peer, we won't support this param. */
		sctp_process_hn_param(asoc, param, chunk, err_chunk);