1 files changed, 9 insertions, 7 deletions
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 0e06a278d2a9..ba9ad32fc447 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -473,15 +473,14 @@ struct sock *sctp_err_lookup(struct net *net, int family, struct sk_buff *skb,
                             struct sctp_association **app,
                             struct sctp_transport **tpp)
 {
+        struct sctp_init_chunk *chunkhdr, _chunkhdr;
        union sctp_addr saddr;
        union sctp_addr daddr;
        struct sctp_af *af;
        struct sock *sk = NULL;
        struct sctp_association *asoc;
        struct sctp_transport *transport = NULL;
-        struct sctp_init_chunk *chunkhdr;
        __u32 vtag = ntohl(sctphdr->vtag);
-        int len = skb->len - ((void *)sctphdr - (void *)skb->data);
        *app = NULL; *tpp = NULL;
@@ -516,13 +515,16 @@ struct sock *sctp_err_lookup(struct net *net, int family, struct sk_buff *skb,
         * discard the packet.
         */
        if (vtag == 0) {
-                chunkhdr = (void *)sctphdr + sizeof(struct sctphdr);
+                /* chunk header + first 4 octects of init header */
-                if (len < sizeof(struct sctphdr) + sizeof(sctp_chunkhdr_t)
+                chunkhdr = skb_header_pointer(skb, skb_transport_offset(skb) +
-                          + sizeof(__be32) ||
+                                              sizeof(struct sctphdr),
+                                              sizeof(struct sctp_chunkhdr) +
+                                              sizeof(__be32), &_chunkhdr);
+                if (!chunkhdr ||
                    chunkhdr->chunk_hdr.type != SCTP_CID_INIT ||
-                    ntohl(chunkhdr->init_hdr.init_tag) != asoc->c.my_vtag) {
+                    ntohl(chunkhdr->init_hdr.init_tag) != asoc->c.my_vtag)
                        goto out;
-                }
        } else if (vtag != asoc->c.peer_vtag) {
                goto out;
        }

diff --git a/net/sctp/input.c b/net/sctp/input.c index 0e06a278d2a9..ba9ad32fc447 100644 --- a/net/sctp/input.c +++ b/net/sctp/input.c
@@ -473,15 +473,14 @@ struct sock sctp_err_lookup(struct net net, int family, struct sk_buff *skb,
473	struct sctp_association **app,	473	struct sctp_association **app,
474	struct sctp_transport **tpp)	474	struct sctp_transport **tpp)
475	{	475	{
		476	struct sctp_init_chunk *chunkhdr, _chunkhdr;
476	union sctp_addr saddr;	477	union sctp_addr saddr;
477	union sctp_addr daddr;	478	union sctp_addr daddr;
478	struct sctp_af *af;	479	struct sctp_af *af;
479	struct sock *sk = NULL;	480	struct sock *sk = NULL;
480	struct sctp_association *asoc;	481	struct sctp_association *asoc;
481	struct sctp_transport *transport = NULL;	482	struct sctp_transport *transport = NULL;
482	struct sctp_init_chunk *chunkhdr;
483	__u32 vtag = ntohl(sctphdr->vtag);	483	__u32 vtag = ntohl(sctphdr->vtag);
484	int len = skb->len - ((void )sctphdr - (void )skb->data);
485		484
486	app = NULL; tpp = NULL;	485	app = NULL; tpp = NULL;
487		486
@@ -516,13 +515,16 @@ struct sock sctp_err_lookup(struct net net, int family, struct sk_buff *skb,
516	* discard the packet.	515	* discard the packet.
517	*/	516	*/
518	if (vtag == 0) {	517	if (vtag == 0) {
519	chunkhdr = (void *)sctphdr + sizeof(struct sctphdr);	518	/* chunk header + first 4 octects of init header */
520	if (len < sizeof(struct sctphdr) + sizeof(sctp_chunkhdr_t)	519	chunkhdr = skb_header_pointer(skb, skb_transport_offset(skb) +
521	+ sizeof(__be32) \|\|	520	sizeof(struct sctphdr),
		521	sizeof(struct sctp_chunkhdr) +
		522	sizeof(__be32), &_chunkhdr);
		523	if (!chunkhdr \|\|
522	chunkhdr->chunk_hdr.type != SCTP_CID_INIT \|\|	524	chunkhdr->chunk_hdr.type != SCTP_CID_INIT \|\|
523	ntohl(chunkhdr->init_hdr.init_tag) != asoc->c.my_vtag) {	525	ntohl(chunkhdr->init_hdr.init_tag) != asoc->c.my_vtag)
524	goto out;	526	goto out;
525	}	527
526	} else if (vtag != asoc->c.peer_vtag) {	528	} else if (vtag != asoc->c.peer_vtag) {
527	goto out;	529	goto out;
528	}	530	}