Commit a09c8384 authored Sep 05, 2007 by Vlad Yasevich Committed by David S. Miller Sep 25, 2007

SCTP: Validate buffer room when processing sequential chunks



When we process bundled chunks, we need to make sure that
the skb has the buffer for each header since we assume it's
always there.  Some malicious node can send us something like
DATA + 2 bytes and we'll try to walk off the end refrencing
potentially uninitialized memory.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>

parent ca9938fe

net/sctp/inqueue.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -130,6 +130,14 @@ struct sctp_chunk sctp_inq_pop(struct sctp_inq queue)
		/* Force chunk->skb->data to chunk->chunk_end. */
		skb_pull(chunk->skb,
		chunk->chunk_end - chunk->skb->data);

		/* Verify that we have at least chunk headers
		* worth of buffer left.
		*/
		if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) {
		sctp_chunk_free(chunk);
		chunk = queue->in_progress = NULL;
		}
		}
		}