| From ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9 Mon Sep 17 00:00:00 2001 |
| From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> |
| Date: Mon, 28 Jun 2021 16:13:44 -0300 |
| Subject: sctp: add param size validation for SCTP_PARAM_SET_PRIMARY |
| |
| From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> |
| |
| commit ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9 upstream. |
| |
| When SCTP handles an INIT chunk, it calls for example: |
| sctp_sf_do_5_1B_init |
| sctp_verify_init |
| sctp_verify_param |
| sctp_process_init |
| sctp_process_param |
| handling of SCTP_PARAM_SET_PRIMARY |
| |
| sctp_verify_init() wasn't doing proper size validation and neither the |
| later handling, allowing it to work over the chunk itself, possibly being |
| uninitialized memory. |
| |
| Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/sctp/sm_make_chunk.c | 13 ++++++++++--- |
| 1 file changed, 10 insertions(+), 3 deletions(-) |
| |
| --- a/net/sctp/sm_make_chunk.c |
| +++ b/net/sctp/sm_make_chunk.c |
| @@ -2172,9 +2172,16 @@ static enum sctp_ierror sctp_verify_para |
| break; |
| |
| case SCTP_PARAM_SET_PRIMARY: |
| - if (net->sctp.addip_enable) |
| - break; |
| - goto fallthrough; |
| + if (!net->sctp.addip_enable) |
| + goto fallthrough; |
| + |
| + if (ntohs(param.p->length) < sizeof(struct sctp_addip_param) + |
| + sizeof(struct sctp_paramhdr)) { |
| + sctp_process_inv_paramlength(asoc, param.p, |
| + chunk, err_chunk); |
| + retval = SCTP_IERROR_ABORT; |
| + } |
| + break; |
| |
| case SCTP_PARAM_HOST_NAME_ADDRESS: |
| /* Tell the peer, we won't support this param. */ |
