SCTP: Validate buffer room when processing sequential chunks
When we process bundled chunks, we need to make sure that the skb has the buffer for each header since we assume it's always there. Some malicious node can send us something like DATA + 2 bytes and we'll try to walk off the end refrencing potentially uninitialized memory. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
This commit is contained in:
parent
ca9938fea5
commit
a09c83847b
|
@ -130,6 +130,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
|
|||
/* Force chunk->skb->data to chunk->chunk_end. */
|
||||
skb_pull(chunk->skb,
|
||||
chunk->chunk_end - chunk->skb->data);
|
||||
|
||||
/* Verify that we have at least chunk headers
|
||||
* worth of buffer left.
|
||||
*/
|
||||
if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) {
|
||||
sctp_chunk_free(chunk);
|
||||
chunk = queue->in_progress = NULL;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue