sctp: add param size validation for SCTP_PARAM_SET_PRIMARY

commit ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9 upstream.

When SCTP handles an INIT chunk, it calls for example:
sctp_sf_do_5_1B_init
  sctp_verify_init
    sctp_verify_param
  sctp_process_init
    sctp_process_param
      handling of SCTP_PARAM_SET_PRIMARY

sctp_verify_init() wasn't doing proper size validation and neither the
later handling, allowing it to work over the chunk itself, possibly being
uninitialized memory.

Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index a1ca070e36b0a52fe2aa6e69ecf8ce8a9ff560b7..0789109c2d0933ed001f5cda5e14b6a8ba196fdd 100644 (file)
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2172,9 +2172,16 @@ static enum sctp_ierror sctp_verify_param(struct net *net,
                break;
 
        case SCTP_PARAM_SET_PRIMARY:
-               if (net->sctp.addip_enable)
-                       break;
-               goto fallthrough;
+               if (!net->sctp.addip_enable)
+                       goto fallthrough;
+
+               if (ntohs(param.p->length) < sizeof(struct sctp_addip_param) +
+                                            sizeof(struct sctp_paramhdr)) {
+                       sctp_process_inv_paramlength(asoc, param.p,
+                                                    chunk, err_chunk);
+                       retval = SCTP_IERROR_ABORT;
+               }
+               break;
 
        case SCTP_PARAM_HOST_NAME_ADDRESS:
                /* Tell the peer, we won't support this param.  */