aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVladislav Yasevich <vladislav.yasevich@hp.com>2006-05-19 17:25:53 -0400
committerSridhar Samudrala <sri@us.ibm.com>2006-05-19 17:25:53 -0400
commita601266e4f3c479790f373c2e3122a766d123652 (patch)
tree0f22554556272153de2cbdc94bc32de5f2fa4633
parentdd2d1c6f2958d027e4591ca5d2a04dfe36ca6512 (diff)
[SCTP]: Validate the parameter length in HB-ACK chunk.
If SCTP receives a badly formatted HB-ACK chunk, it is possible that we may access invalid memory and potentially have a buffer overflow. We should really make sure that the chunk format is what we expect, before attempting to touch the data. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
-rw-r--r--net/sctp/sm_statefuns.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 174f7a7c6cd1..8bc279219a72 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -1019,6 +1019,12 @@ sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep,
1019 commands); 1019 commands);
1020 1020
1021 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; 1021 hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data;
1022 /* Make sure that the length of the parameter is what we expect */
1023 if (ntohs(hbinfo->param_hdr.length) !=
1024 sizeof(sctp_sender_hb_info_t)) {
1025 return SCTP_DISPOSITION_DISCARD;
1026 }
1027
1022 from_addr = hbinfo->daddr; 1028 from_addr = hbinfo->daddr;
1023 link = sctp_assoc_lookup_paddr(asoc, &from_addr); 1029 link = sctp_assoc_lookup_paddr(asoc, &from_addr);
1024 1030