diff options
author | Vlad Yasevich <vladislav.yasevich@hp.com> | 2007-09-05 15:53:58 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-09-25 22:55:45 -0700 |
commit | a09c83847b664dcd67a72613374061c900afb799 (patch) | |
tree | 2d861171a944bb415d3cb0af82544836df1ced3d /net/sctp | |
parent | ca9938fea576ebbb8d8c4fbe8a5bcc937e49e1ca (diff) | |
download | lwn-a09c83847b664dcd67a72613374061c900afb799.tar.gz lwn-a09c83847b664dcd67a72613374061c900afb799.zip |
SCTP: Validate buffer room when processing sequential chunks
When we process bundled chunks, we need to make sure that
the skb has the buffer for each header since we assume it's
always there. Some malicious node can send us something like
DATA + 2 bytes and we'll try to walk off the end refrencing
potentially uninitialized memory.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Diffstat (limited to 'net/sctp')
-rw-r--r-- | net/sctp/inqueue.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c index 88aa22407549..e4ea7fdf36ed 100644 --- a/net/sctp/inqueue.c +++ b/net/sctp/inqueue.c @@ -130,6 +130,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue) /* Force chunk->skb->data to chunk->chunk_end. */ skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data); + + /* Verify that we have at least chunk headers + * worth of buffer left. + */ + if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) { + sctp_chunk_free(chunk); + chunk = queue->in_progress = NULL; + } } } |