diff options
author | Sridhar Samudrala <sri@us.ibm.com> | 2006-05-05 20:04:43 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2006-05-05 20:04:43 -0400 |
commit | 62b08083ec3dbfd7e533c8d230dd1d8191a6e813 (patch) | |
tree | 55d2a2d6773cdc86e181b27506b1043be640fa53 | |
parent | 672e7cca17ed6036a1756ed34cf20dbd72d5e5f6 (diff) |
[SCTP]: Fix panic's when receiving fragmented SCTP control chunks.
Use pskb_pull() to handle incoming COOKIE_ECHO and HEARTBEAT chunks that
are received as skb's with fragment list.
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/sctp/sm_statefuns.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index f5d131f52a70..8cdba51ec076 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c | |||
@@ -636,8 +636,9 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep, | |||
636 | */ | 636 | */ |
637 | chunk->subh.cookie_hdr = | 637 | chunk->subh.cookie_hdr = |
638 | (struct sctp_signed_cookie *)chunk->skb->data; | 638 | (struct sctp_signed_cookie *)chunk->skb->data; |
639 | skb_pull(chunk->skb, | 639 | if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - |
640 | ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t)); | 640 | sizeof(sctp_chunkhdr_t))) |
641 | goto nomem; | ||
641 | 642 | ||
642 | /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint | 643 | /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint |
643 | * "Z" will reply with a COOKIE ACK chunk after building a TCB | 644 | * "Z" will reply with a COOKIE ACK chunk after building a TCB |
@@ -965,7 +966,8 @@ sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep, | |||
965 | */ | 966 | */ |
966 | chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; | 967 | chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; |
967 | paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); | 968 | paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); |
968 | skb_pull(chunk->skb, paylen); | 969 | if (!pskb_pull(chunk->skb, paylen)) |
970 | goto nomem; | ||
969 | 971 | ||
970 | reply = sctp_make_heartbeat_ack(asoc, chunk, | 972 | reply = sctp_make_heartbeat_ack(asoc, chunk, |
971 | chunk->subh.hb_hdr, paylen); | 973 | chunk->subh.hb_hdr, paylen); |
@@ -1860,8 +1862,9 @@ sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep, | |||
1860 | * are in good shape. | 1862 | * are in good shape. |
1861 | */ | 1863 | */ |
1862 | chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; | 1864 | chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; |
1863 | skb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - | 1865 | if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - |
1864 | sizeof(sctp_chunkhdr_t)); | 1866 | sizeof(sctp_chunkhdr_t))) |
1867 | goto nomem; | ||
1865 | 1868 | ||
1866 | /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie | 1869 | /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie |
1867 | * of a duplicate COOKIE ECHO match the Verification Tags of the | 1870 | * of a duplicate COOKIE ECHO match the Verification Tags of the |