sctp: fix a potential OOB access in sctp_sched_set_sched()
The 'sched' index value must be checked before accessing an element of the 'sctp_sched_ops' array. Otherwise, it can lead to OOB access. Note that it's harmless since the 'sched' parameter is checked before calling 'sctp_sched_set_sched'. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Reviewed-by: Xin Long <lucien.xin@gmail.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
6096bc0555
commit
059fa49202
|
@ -148,18 +148,19 @@ static void sctp_sched_free_sched(struct sctp_stream *stream)
|
|||
int sctp_sched_set_sched(struct sctp_association *asoc,
|
||||
enum sctp_sched_type sched)
|
||||
{
|
||||
struct sctp_sched_ops *n = sctp_sched_ops[sched];
|
||||
struct sctp_sched_ops *old = asoc->outqueue.sched;
|
||||
struct sctp_datamsg *msg = NULL;
|
||||
struct sctp_sched_ops *n;
|
||||
struct sctp_chunk *ch;
|
||||
int i, ret = 0;
|
||||
|
||||
if (old == n)
|
||||
return ret;
|
||||
|
||||
if (sched > SCTP_SS_MAX)
|
||||
return -EINVAL;
|
||||
|
||||
n = sctp_sched_ops[sched];
|
||||
if (old == n)
|
||||
return ret;
|
||||
|
||||
if (old)
|
||||
sctp_sched_free_sched(&asoc->stream);
|
||||
|
||||
|
|
Loading…
Reference in New Issue