From a09c83847b664dcd67a72613374061c900afb799 Mon Sep 17 00:00:00 2001 From: Vlad Yasevich Date: Wed, 5 Sep 2007 15:53:58 -0400 Subject: [PATCH] SCTP: Validate buffer room when processing sequential chunks When we process bundled chunks, we need to make sure that the skb has the buffer for each header since we assume it's always there. Some malicious node can send us something like DATA + 2 bytes and we'll try to walk off the end refrencing potentially uninitialized memory. Signed-off-by: Vlad Yasevich --- net/sctp/inqueue.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c index 88aa224075..e4ea7fdf36 100644 --- a/net/sctp/inqueue.c +++ b/net/sctp/inqueue.c @@ -130,6 +130,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue) /* Force chunk->skb->data to chunk->chunk_end. */ skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data); + + /* Verify that we have at least chunk headers + * worth of buffer left. + */ + if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) { + sctp_chunk_free(chunk); + chunk = queue->in_progress = NULL; + } } } -- 2.39.5