aboutsummaryrefslogtreecommitdiffstats
path: root/net/sctp
diff options
context:
space:
mode:
authorWei Yongjun <yjwei@cn.fujitsu.com>2009-08-21 23:27:37 -0400
committerVlad Yasevich <vladislav.yasevich@hp.com>2009-09-04 18:20:58 -0400
commitdadb50cc1ada2906594df83d991f0bc388039bb6 (patch)
tree25df647a588e1401377339f98f3dad12f17ab7bd /net/sctp
parenta2f36eec5647548fa94fb68e2843b00fb9c0d46b (diff)
sctp: fix check the chunk length of received HEARTBEAT-ACK chunk
The receiver of the HEARTBEAT should respond with a HEARTBEAT ACK that contains the Heartbeat Information field copied from the received HEARTBEAT chunk. So the received HEARTBEAT-ACK chunk must have a length of: sizeof(sctp_chunkhdr_t) + sizeof(sctp_sender_hb_info_t) A badly formatted HB-ACK chunk, it is possible that we may access invalid memory. We should really make sure that the chunk format is what we expect, before attempting to touch the data. Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Diffstat (limited to 'net/sctp')
-rw-r--r--net/sctp/sm_statefuns.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 73bdeb2b6c62..7fb08a694917 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -1115,7 +1115,8 @@ sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep,
1115 return sctp_sf_pdiscard(ep, asoc, type, arg, commands); 1115 return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
1116 1116
1117 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */ 1117 /* Make sure that the HEARTBEAT-ACK chunk has a valid length. */
1118 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_heartbeat_chunk_t))) 1118 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t) +
1119 sizeof(sctp_sender_hb_info_t)))
1119 return sctp_sf_violation_chunklen(ep, asoc, type, arg, 1120 return sctp_sf_violation_chunklen(ep, asoc, type, arg,
1120 commands); 1121 commands);
1121 1122