Commit a601266e authored May 19, 2006 by Vladislav Yasevich Committed by Sridhar Samudrala May 19, 2006

[SCTP]: Validate the parameter length in HB-ACK chunk.



If SCTP receives a badly formatted HB-ACK chunk, it is possible
that we may access invalid memory and potentially have a buffer
overflow.  We should really make sure that the chunk format is
what we expect, before attempting to touch the data.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>

parent dd2d1c6f

net/sctp/sm_statefuns.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -1019,6 +1019,12 @@ sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep,
		commands);

		hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
		/* Make sure that the length of the parameter is what we expect */
		if (ntohs(hbinfo->param_hdr.length) !=
		sizeof(sctp_sender_hb_info_t)) {
		return SCTP_DISPOSITION_DISCARD;
		}

		from_addr = hbinfo->daddr;
		link = sctp_assoc_lookup_paddr(asoc, &from_addr);