Doug / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit a7d1f1b66c05ef4ebb58a34be7caad9af15546a4

Authored by Tsutomu Fujii
Committed by Sridhar Samudrala
1 parent c4d2444e99
Exists in master and in 7 other branches imx_3.0.35_4.1.0, imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga, smarc-l5.0.0_1.0.0-ga

[SCTP]: Fix sctp_rcv_ootb() to handle the last chunk of a packet correctly. 

Signed-off-by: Tsutomu Fujii <t-fujii@nb.jp.nec.com>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>

Showing 2 changed files with 11 additions and 4 deletions Side-by-side Diff

... ... @@ -588,11 +588,17 @@
588 588 sctp_errhdr_t *err;
589 589  
590 590 ch = (sctp_chunkhdr_t *) skb->data;
591   - ch_end = ((__u8 *) ch) + WORD_ROUND(ntohs(ch->length));
592 591  
593 592 /* Scan through all the chunks in the packet. */
594   - while (ch_end > (__u8 *)ch && ch_end < skb->tail) {
  593 + do {
  594 + /* Break out if chunk length is less then minimal. */
  595 + if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t))
  596 + break;
595 597  
  598 + ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
  599 + if (ch_end > skb->tail)
  600 + break;
  601 +
596 602 /* RFC 8.4, 2) If the OOTB packet contains an ABORT chunk, the
597 603 * receiver MUST silently discard the OOTB packet and take no
598 604 * further action.
... ... @@ -622,8 +628,7 @@
622 628 }
623 629  
624 630 ch = (sctp_chunkhdr_t *) ch_end;
625   - ch_end = ((__u8 *) ch) + WORD_ROUND(ntohs(ch->length));
626   - }
  631 + } while (ch_end < skb->tail);
627 632  
628 633 return 0;
629 634  
net/sctp/sm_statefuns.c
Diff comments   View file @ a7d1f1b
... ... @@ -3090,6 +3090,8 @@
3090 3090 break;
3091 3091  
3092 3092 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
  3093 + if (ch_end > skb->tail)
  3094 + break;
3093 3095  
3094 3096 if (SCTP_CID_SHUTDOWN_ACK == ch->type)
3095 3097 ootb_shut_ack = 1;