[SCTP]: Fix sctp_rcv_ootb() to handle the last chunk of a packet correctly. (a7d1f1b6) · Commits · e / devices / android_kernel_teracube_2e

net/sctp/input.c

+9 −4

Original line number	Diff line number	Diff line
		@@ -588,10 +588,16 @@ int sctp_rcv_ootb(struct sk_buff *skb)
		sctp_errhdr_t *err;

		ch = (sctp_chunkhdr_t *) skb->data;
		ch_end = ((__u8 *) ch) + WORD_ROUND(ntohs(ch->length));

		/* Scan through all the chunks in the packet. */
		while (ch_end > (__u8 *)ch && ch_end < skb->tail) {
		do {
		/* Break out if chunk length is less then minimal. */
		if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t))
		break;

		ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
		if (ch_end > skb->tail)
		break;

		/* RFC 8.4, 2) If the OOTB packet contains an ABORT chunk, the
		* receiver MUST silently discard the OOTB packet and take no
		@@ -622,8 +628,7 @@ int sctp_rcv_ootb(struct sk_buff *skb)
		}

		ch = (sctp_chunkhdr_t *) ch_end;
		ch_end = ((__u8 *) ch) + WORD_ROUND(ntohs(ch->length));
		}
		} while (ch_end < skb->tail);

		return 0;

+2 −0

Original line number	Diff line number	Diff line
		@@ -3090,6 +3090,8 @@ sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
		break;

		ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
		if (ch_end > skb->tail)
		break;

		if (SCTP_CID_SHUTDOWN_ACK == ch->type)
		ootb_shut_ack = 1;