Google Git
Sign in
gfiber / kernel / bruno / bd891f40f04f8b96d9148ff8a5d538b60171409c
commitbd891f40f04f8b96d9148ff8a5d538b60171409c[log] [tgz]
authorMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>Tue Oct 25 14:27:39 2016 -0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Tue Nov 15 07:46:39 2016 +0100
treedea8bf60bc890c93a54ccf986c5208e3631d0bfa
parent7c230d0e546a3c6fa72485e80b8e5fe8873822d7 [diff]
sctp: validate chunk len before actually using it

[ Upstream commit bf911e985d6bbaa328c20c3e05f4eb03de11fdd6 ]

Andrey Konovalov reported that KASAN detected that SCTP was using a slab
beyond the boundaries. It was caused because when handling out of the
blue packets in function sctp_sf_ootb() it was checking the chunk len
only after already processing the first chunk, validating only for the
2nd and subsequent ones.

The fix is to just move the check upwards so it's also validated for the
1st chunk.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 file changed
tree: dea8bf60bc890c93a54ccf986c5208e3631d0bfa
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .get_maintainer.ignore
  24. .gitignore
  25. .mailmap
  26. COPYING
  27. CREDITS
  28. Kbuild
  29. Kconfig
  30. MAINTAINERS
  31. Makefile
  32. README
  33. REPORTING-BUGS