| From b6ffe7671b24689c09faa5675dd58f93758a97ae Mon Sep 17 00:00:00 2001 |
| From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> |
| Date: Mon, 28 Jun 2021 16:13:43 -0300 |
| Subject: sctp: validate chunk size in __rcv_asconf_lookup |
| |
| From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> |
| |
| commit b6ffe7671b24689c09faa5675dd58f93758a97ae upstream. |
| |
| In one of the fallbacks that SCTP has for identifying an association for an |
| incoming packet, it looks for AddIp chunk (from ASCONF) and take a peek. |
| Thing is, at this stage nothing was validating that the chunk actually had |
| enough content for that, allowing the peek to happen over uninitialized |
| memory. |
| |
| Similar check already exists in actual asconf handling in |
| sctp_verify_asconf(). |
| |
| Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/sctp/input.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| --- a/net/sctp/input.c |
| +++ b/net/sctp/input.c |
| @@ -1125,6 +1125,9 @@ static struct sctp_association *__sctp_r |
| union sctp_addr_param *param; |
| union sctp_addr paddr; |
| |
| + if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr)) |
| + return NULL; |
| + |
| /* Skip over the ADDIP header and find the Address parameter */ |
| param = (union sctp_addr_param *)(asconf + 1); |
| |