[SCTP]: Validate the parameter length in HB-ACK chunk.

If SCTP receives a badly formatted HB-ACK chunk, it is possible that we may access invalid memory and potentially have a buffer overflow. We should really make sure that the chunk format is what we expect, before attempting to touch the data. Signed-off-by: N Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: N Sridhar Samudrala <sri@us.ibm.com>

[SCTP]: Validate the parameter length in HB-ACK chunk.
If SCTP receives a badly formatted HB-ACK chunk, it is possible that we may access invalid memory and potentially have a buffer overflow. We should really make sure that the chunk format is what we expect, before attempting to touch the data. Signed-off-by: N Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: N Sridhar Samudrala <sri@us.ibm.com>
a601266e · Vladislav Yasevich · Sridhar Samudrala · dd2d1c6f · a601266e
隐藏空白更改
内联并排

Showing with 6 addition and 0 deletion

net/sctp/sm_statefuns.c net/sctp/sm_statefuns.c +6 -0

未找到文件。
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -1019,6 +1019,12 @@ sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep,
 						  commands);

 	hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
+	/* Make sure that the length of the parameter is what we expect */
+	if (ntohs(hbinfo->param_hdr.length) !=
+				    sizeof(sctp_sender_hb_info_t)) {
+		return SCTP_DISPOSITION_DISCARD;
+	}
+
 	from_addr = hbinfo->daddr;
 	link = sctp_assoc_lookup_paddr(asoc, &from_addr);