[PATCH] SCTP: Validate the parameter length in HB-ACK chunk (CVE-2006-1857) If SCTP receives a badly formatted HB-ACK chunk, it is possible that we may access invalid memory and potentially have a buffer overflow. We should really make sure that the chunk format is what we expect, before attempting to touch the data. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org>

commit: 1a9807fd86f9a112a39720e99be4eeae7b4e3694 [log] [tgz]
author: Vladislav Yasevich <vladislav.yasevich@hp.com> Fri May 19 14:25:53 2006 -0700
committer: Chris Wright <chrisw@sous-sol.org> Sat May 20 15:00:34 2006 -0700
tree: 441c5c7eeb5fbe0cdf44f41c3e85a2ec862949f9
parent: 0eca2317be1345e056fb75d256099a04c97f7021 [diff]
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 8cdba51..9395e09 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c

@@ -1030,6 +1030,12 @@
 						  commands);
 
 	hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
+	/* Make sure that the length of the parameter is what we expect */
+	if (ntohs(hbinfo->param_hdr.length) !=
+				    sizeof(sctp_sender_hb_info_t)) {
+		return SCTP_DISPOSITION_DISCARD;
+	}
+
 	from_addr = hbinfo->daddr;
 	link = sctp_assoc_lookup_paddr(asoc, &from_addr);
commit	1a9807fd86f9a112a39720e99be4eeae7b4e3694	[log] [tgz]
author	Vladislav Yasevich <vladislav.yasevich@hp.com>	Fri May 19 14:25:53 2006 -0700
committer	Chris Wright <chrisw@sous-sol.org>	Sat May 20 15:00:34 2006 -0700
tree	441c5c7eeb5fbe0cdf44f41c3e85a2ec862949f9
parent	0eca2317be1345e056fb75d256099a04c97f7021 [diff]