Skip to content

Commit bf911e9

Browse files
marceloleitnerdavem330
authored andcommitted
sctp: validate chunk len before actually using it
Andrey Konovalov reported that KASAN detected that SCTP was using a slab beyond the boundaries. It was caused because when handling out of the blue packets in function sctp_sf_ootb() it was checking the chunk len only after already processing the first chunk, validating only for the 2nd and subsequent ones. The fix is to just move the check upwards so it's also validated for the 1st chunk. Reported-by: Andrey Konovalov <andreyknvl@google.com> Tested-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Reviewed-by: Xin Long <lucien.xin@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent c2e169b commit bf911e9

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

Diff for: net/sctp/sm_statefuns.c

+6-6
Original file line numberDiff line numberDiff line change
@@ -3422,6 +3422,12 @@ sctp_disposition_t sctp_sf_ootb(struct net *net,
34223422
return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
34233423
commands);
34243424

3425+
/* Report violation if chunk len overflows */
3426+
ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length));
3427+
if (ch_end > skb_tail_pointer(skb))
3428+
return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3429+
commands);
3430+
34253431
/* Now that we know we at least have a chunk header,
34263432
* do things that are type appropriate.
34273433
*/
@@ -3453,12 +3459,6 @@ sctp_disposition_t sctp_sf_ootb(struct net *net,
34533459
}
34543460
}
34553461

3456-
/* Report violation if chunk len overflows */
3457-
ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length));
3458-
if (ch_end > skb_tail_pointer(skb))
3459-
return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
3460-
commands);
3461-
34623462
ch = (sctp_chunkhdr_t *) ch_end;
34633463
} while (ch_end < skb_tail_pointer(skb));
34643464

0 commit comments

Comments
 (0)