diff options
| author | Wei Yongjun <yjwei@cn.fujitsu.com> | 2007-09-19 05:19:52 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2007-09-26 01:55:49 -0400 |
| commit | 6f4c618ddb0e6b7e6d49cfc8134e694be1c0bc9b (patch) | |
| tree | 7ff3a0de1fc54e82bca9201d7f3d5df5c43c7cc7 /net/sctp/sm_make_chunk.c | |
| parent | 3c77f961b55b6060858c68a213d7f4470d7f3eb2 (diff) | |
SCTP : Add paramters validity check for ASCONF chunk
If ADDIP is enabled, when an ASCONF chunk is received with ASCONF
paramter length set to zero, this will cause infinite loop.
By the way, if an malformed ASCONF chunk is received, will cause
processing to access memory without verifying.
This is because of not check the validity of parameters in ASCONF chunk.
This patch fixed this.
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Diffstat (limited to 'net/sctp/sm_make_chunk.c')
| -rw-r--r-- | net/sctp/sm_make_chunk.c | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index 2e34220d94cd..23ae37ec8711 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c | |||
| @@ -2499,6 +2499,52 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, | |||
| 2499 | return SCTP_ERROR_NO_ERROR; | 2499 | return SCTP_ERROR_NO_ERROR; |
| 2500 | } | 2500 | } |
| 2501 | 2501 | ||
| 2502 | /* Verify the ASCONF packet before we process it. */ | ||
| 2503 | int sctp_verify_asconf(const struct sctp_association *asoc, | ||
| 2504 | struct sctp_paramhdr *param_hdr, void *chunk_end, | ||
| 2505 | struct sctp_paramhdr **errp) { | ||
| 2506 | sctp_addip_param_t *asconf_param; | ||
| 2507 | union sctp_params param; | ||
| 2508 | int length, plen; | ||
| 2509 | |||
| 2510 | param.v = (sctp_paramhdr_t *) param_hdr; | ||
| 2511 | while (param.v <= chunk_end - sizeof(sctp_paramhdr_t)) { | ||
| 2512 | length = ntohs(param.p->length); | ||
| 2513 | *errp = param.p; | ||
| 2514 | |||
| 2515 | if (param.v > chunk_end - length || | ||
| 2516 | length < sizeof(sctp_paramhdr_t)) | ||
| 2517 | return 0; | ||
| 2518 | |||
| 2519 | switch (param.p->type) { | ||
| 2520 | case SCTP_PARAM_ADD_IP: | ||
| 2521 | case SCTP_PARAM_DEL_IP: | ||
| 2522 | case SCTP_PARAM_SET_PRIMARY: | ||
| 2523 | asconf_param = (sctp_addip_param_t *)param.v; | ||
| 2524 | plen = ntohs(asconf_param->param_hdr.length); | ||
| 2525 | if (plen < sizeof(sctp_addip_param_t) + | ||
| 2526 | sizeof(sctp_paramhdr_t)) | ||
| 2527 | return 0; | ||
| 2528 | break; | ||
| 2529 | case SCTP_PARAM_SUCCESS_REPORT: | ||
| 2530 | case SCTP_PARAM_ADAPTATION_LAYER_IND: | ||
| 2531 | if (length != sizeof(sctp_addip_param_t)) | ||
| 2532 | return 0; | ||
| 2533 | |||
| 2534 | break; | ||
| 2535 | default: | ||
| 2536 | break; | ||
| 2537 | } | ||
| 2538 | |||
| 2539 | param.v += WORD_ROUND(length); | ||
| 2540 | } | ||
| 2541 | |||
| 2542 | if (param.v != chunk_end) | ||
| 2543 | return 0; | ||
| 2544 | |||
| 2545 | return 1; | ||
| 2546 | } | ||
| 2547 | |||
| 2502 | /* Process an incoming ASCONF chunk with the next expected serial no. and | 2548 | /* Process an incoming ASCONF chunk with the next expected serial no. and |
| 2503 | * return an ASCONF_ACK chunk to be sent in response. | 2549 | * return an ASCONF_ACK chunk to be sent in response. |
| 2504 | */ | 2550 | */ |