Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

SCTP: Validate buffer room when processing sequential chunks

When we process bundled chunks, we need to make sure that
the skb has the buffer for each header since we assume it's
always there.  Some malicious node can send us something like
DATA + 2 bytes and we'll try to walk off the end refrencing
potentially uninitialized memory.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Vlad Yasevich 17 years ago
parent
ca9938fea5
commit
a09c83847b
1 changed files with 8 additions and 0 deletions
Split View Show Diff Stats
  1. 8 0
      net/sctp/inqueue.c

+ 8 - 0
net/sctp/inqueue.c
View File 

@@ -130,6 +130,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
 
 			/* Force chunk->skb->data to chunk->chunk_end.  */
 
 			skb_pull(chunk->skb,
 
 				 chunk->chunk_end - chunk->skb->data);
 
+
 
+			/* Verify that we have at least chunk headers
 
+			 * worth of buffer left.
 
+			 */
 
+			if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) {
 
+				sctp_chunk_free(chunk);
 
+				chunk = queue->in_progress = NULL;
 
+			}
 
 		}
 
 	}