aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSridhar Samudrala <sri@us.ibm.com>2006-05-05 20:04:43 -0400
committerDavid S. Miller <davem@davemloft.net>2006-05-05 20:04:43 -0400
commit62b08083ec3dbfd7e533c8d230dd1d8191a6e813 (patch)
tree55d2a2d6773cdc86e181b27506b1043be640fa53
parent672e7cca17ed6036a1756ed34cf20dbd72d5e5f6 (diff)
[SCTP]: Fix panic's when receiving fragmented SCTP control chunks.
Use pskb_pull() to handle incoming COOKIE_ECHO and HEARTBEAT chunks that are received as skb's with fragment list. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/sctp/sm_statefuns.c13
1 files changed, 8 insertions, 5 deletions
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index f5d131f52a70..8cdba51ec076 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -636,8 +636,9 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep,
636 */ 636 */
637 chunk->subh.cookie_hdr = 637 chunk->subh.cookie_hdr =
638 (struct sctp_signed_cookie *)chunk->skb->data; 638 (struct sctp_signed_cookie *)chunk->skb->data;
639 skb_pull(chunk->skb, 639 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
640 ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t)); 640 sizeof(sctp_chunkhdr_t)))
641 goto nomem;
641 642
642 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint 643 /* 5.1 D) Upon reception of the COOKIE ECHO chunk, Endpoint
643 * "Z" will reply with a COOKIE ACK chunk after building a TCB 644 * "Z" will reply with a COOKIE ACK chunk after building a TCB
@@ -965,7 +966,8 @@ sctp_disposition_t sctp_sf_beat_8_3(const struct sctp_endpoint *ep,
965 */ 966 */
966 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data; 967 chunk->subh.hb_hdr = (sctp_heartbeathdr_t *) chunk->skb->data;
967 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t); 968 paylen = ntohs(chunk->chunk_hdr->length) - sizeof(sctp_chunkhdr_t);
968 skb_pull(chunk->skb, paylen); 969 if (!pskb_pull(chunk->skb, paylen))
970 goto nomem;
969 971
970 reply = sctp_make_heartbeat_ack(asoc, chunk, 972 reply = sctp_make_heartbeat_ack(asoc, chunk,
971 chunk->subh.hb_hdr, paylen); 973 chunk->subh.hb_hdr, paylen);
@@ -1860,8 +1862,9 @@ sctp_disposition_t sctp_sf_do_5_2_4_dupcook(const struct sctp_endpoint *ep,
1860 * are in good shape. 1862 * are in good shape.
1861 */ 1863 */
1862 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data; 1864 chunk->subh.cookie_hdr = (struct sctp_signed_cookie *)chunk->skb->data;
1863 skb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) - 1865 if (!pskb_pull(chunk->skb, ntohs(chunk->chunk_hdr->length) -
1864 sizeof(sctp_chunkhdr_t)); 1866 sizeof(sctp_chunkhdr_t)))
1867 goto nomem;
1865 1868
1866 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie 1869 /* In RFC 2960 5.2.4 3, if both Verification Tags in the State Cookie
1867 * of a duplicate COOKIE ECHO match the Verification Tags of the 1870 * of a duplicate COOKIE ECHO match the Verification Tags of the