diff options
author | Vladislav Yasevich <vladislav.yasevich@hp.com> | 2006-05-19 17:25:53 -0400 |
---|---|---|
committer | Sridhar Samudrala <sri@us.ibm.com> | 2006-05-19 17:25:53 -0400 |
commit | a601266e4f3c479790f373c2e3122a766d123652 (patch) | |
tree | 0f22554556272153de2cbdc94bc32de5f2fa4633 /net | |
parent | dd2d1c6f2958d027e4591ca5d2a04dfe36ca6512 (diff) |
[SCTP]: Validate the parameter length in HB-ACK chunk.
If SCTP receives a badly formatted HB-ACK chunk, it is possible
that we may access invalid memory and potentially have a buffer
overflow. We should really make sure that the chunk format is
what we expect, before attempting to touch the data.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Diffstat (limited to 'net')
-rw-r--r-- | net/sctp/sm_statefuns.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 174f7a7c6cd..8bc279219a7 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c | |||
@@ -1019,6 +1019,12 @@ sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep, | |||
1019 | commands); | 1019 | commands); |
1020 | 1020 | ||
1021 | hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; | 1021 | hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; |
1022 | /* Make sure that the length of the parameter is what we expect */ | ||
1023 | if (ntohs(hbinfo->param_hdr.length) != | ||
1024 | sizeof(sctp_sender_hb_info_t)) { | ||
1025 | return SCTP_DISPOSITION_DISCARD; | ||
1026 | } | ||
1027 | |||
1022 | from_addr = hbinfo->daddr; | 1028 | from_addr = hbinfo->daddr; |
1023 | link = sctp_assoc_lookup_paddr(asoc, &from_addr); | 1029 | link = sctp_assoc_lookup_paddr(asoc, &from_addr); |
1024 | 1030 | ||