SCTP: Validate buffer room when processing sequential chunks

When we process bundled chunks, we need to make sure that the skb has the buffer for each header since we assume it's always there. Some malicious node can send us something like DATA + 2 bytes and we'll try to walk off the end refrencing potentially uninitialized memory. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
author: Vlad Yasevich <vladislav.yasevich@hp.com> 2007-09-05 15:53:58 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2007-09-25 22:55:45 -0700
commit: a09c83847b664dcd67a72613374061c900afb799 (patch)
tree: 2d861171a944bb415d3cb0af82544836df1ced3d /net/sctp/inqueue.c
parent: ca9938fea576ebbb8d8c4fbe8a5bcc937e49e1ca (diff)
download: linux-a09c83847b664dcd67a72613374061c900afb799.tar.bz2
1 files changed, 8 insertions, 0 deletions
diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
index 88aa22407549..e4ea7fdf36ed 100644
--- a/net/sctp/inqueue.c
+++ b/net/sctp/inqueue.c
@@ -130,6 +130,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
 			/* Force chunk->skb->data to chunk->chunk_end.  */
 			skb_pull(chunk->skb,
 				 chunk->chunk_end - chunk->skb->data);
+
+			/* Verify that we have at least chunk headers
+			 * worth of buffer left.
+			 */
+			if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) {
+				sctp_chunk_free(chunk);
+				chunk = queue->in_progress = NULL;
+			}
 		}
 	}
author	Vlad Yasevich <vladislav.yasevich@hp.com>	2007-09-05 15:53:58 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2007-09-25 22:55:45 -0700
commit	a09c83847b664dcd67a72613374061c900afb799 (patch)
tree	2d861171a944bb415d3cb0af82544836df1ced3d /net/sctp/inqueue.c
parent	ca9938fea576ebbb8d8c4fbe8a5bcc937e49e1ca (diff)
download	linux-a09c83847b664dcd67a72613374061c900afb799.tar.bz2