diff options
| author | Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> | 2021-06-28 16:13:44 -0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-09-26 13:39:47 +0200 |
| commit | 718094012d82a9e925a839fbab11a1eaa3220669 (patch) | |
| tree | 47853534853a7b38e107fcf6077b1476b600dd9f /net | |
| parent | 194d21f10ef6a2e1109c31d775fb23ffdb41657f (diff) | |
| download | linux-718094012d82a9e925a839fbab11a1eaa3220669.tar.gz linux-718094012d82a9e925a839fbab11a1eaa3220669.tar.bz2 linux-718094012d82a9e925a839fbab11a1eaa3220669.zip | |
sctp: add param size validation for SCTP_PARAM_SET_PRIMARY
commit ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9 upstream.
When SCTP handles an INIT chunk, it calls for example:
sctp_sf_do_5_1B_init
sctp_verify_init
sctp_verify_param
sctp_process_init
sctp_process_param
handling of SCTP_PARAM_SET_PRIMARY
sctp_verify_init() wasn't doing proper size validation and neither the
later handling, allowing it to work over the chunk itself, possibly being
uninitialized memory.
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/sctp/sm_make_chunk.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index a1ca070e36b0..0789109c2d09 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c @@ -2172,9 +2172,16 @@ static enum sctp_ierror sctp_verify_param(struct net *net, break; case SCTP_PARAM_SET_PRIMARY: - if (net->sctp.addip_enable) - break; - goto fallthrough; + if (!net->sctp.addip_enable) + goto fallthrough; + + if (ntohs(param.p->length) < sizeof(struct sctp_addip_param) + + sizeof(struct sctp_paramhdr)) { + sctp_process_inv_paramlength(asoc, param.p, + chunk, err_chunk); + retval = SCTP_IERROR_ABORT; + } + break; case SCTP_PARAM_HOST_NAME_ADDRESS: /* Tell the peer, we won't support this param. */ |