]> www.infradead.org Git - users/jedix/linux-maple.git/commit
sctp: validate chunk len before actually using it
authorMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Tue, 25 Oct 2016 16:27:39 +0000 (14:27 -0200)
committerDhaval Giani <dhaval.giani@oracle.com>
Mon, 16 Jan 2017 21:41:05 +0000 (16:41 -0500)
commitb3bc678783ea003a5e40b2e526b699460a959a41
treeba6d261114f1422593a4ee8d1f6412d9729e73ee
parent80e6d7280af49c84d66ad1a8161c75bed4eb635d
sctp: validate chunk len before actually using it

Andrey Konovalov reported that KASAN detected that SCTP was using a slab
beyond the boundaries. It was caused because when handling out of the
blue packets in function sctp_sf_ootb() it was checking the chunk len
only after already processing the first chunk, validating only for the
2nd and subsequent ones.

The fix is to just move the check upwards so it's also validated for the
1st chunk.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit bf911e985d6bbaa328c20c3e05f4eb03de11fdd6)
Signed-off-by: Brian Maly <brian.maly@oracle.com>
Conflicts:
 net/sctp/sm_statefuns.c

Orabug: 25142846
CVE: CVE-2016-9555
Signed-off-by: Dhaval Giani <dhaval.giani@oracle.com>
Reviewed-by: Chuck Anderson <chuck.anderson@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>
Signed-off-by: Dhaval Giani <dhaval.giani@oracle.com>
net/sctp/sm_statefuns.c