1 files changed, 46 insertions, 0 deletions
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 2e34220d94cd..23ae37ec8711 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2499,6 +2499,52 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
        return SCTP_ERROR_NO_ERROR;
 }
+/* Verify the ASCONF packet before we process it.  */
+int sctp_verify_asconf(const struct sctp_association *asoc,
+                       struct sctp_paramhdr *param_hdr, void *chunk_end,
+                       struct sctp_paramhdr **errp) {
+        sctp_addip_param_t *asconf_param;
+        union sctp_params param;
+        int length, plen;
+        param.v = (sctp_paramhdr_t *) param_hdr;
+        while (param.v <= chunk_end - sizeof(sctp_paramhdr_t)) {
+                length = ntohs(param.p->length);
+                *errp = param.p;
+                if (param.v > chunk_end - length ||
+                    length < sizeof(sctp_paramhdr_t))
+                        return 0;
+                switch (param.p->type) {
+                case SCTP_PARAM_ADD_IP:
+                case SCTP_PARAM_DEL_IP:
+                case SCTP_PARAM_SET_PRIMARY:
+                        asconf_param = (sctp_addip_param_t *)param.v;
+                        plen = ntohs(asconf_param->param_hdr.length);
+                        if (plen < sizeof(sctp_addip_param_t) +
+                            sizeof(sctp_paramhdr_t))
+                                return 0;
+                        break;
+                case SCTP_PARAM_SUCCESS_REPORT:
+                case SCTP_PARAM_ADAPTATION_LAYER_IND:
+                        if (length != sizeof(sctp_addip_param_t))
+                                return 0;
+                        break;
+                default:
+                        break;
+                }
+                param.v += WORD_ROUND(length);
+        }
+        if (param.v != chunk_end)
+                return 0;
+        return 1;
+}
 /* Process an incoming ASCONF chunk with the next expected serial no. and
 * return an ASCONF_ACK chunk to be sent in response.
 */

diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index 2e34220d94cd..23ae37ec8711 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c
@@ -2499,6 +2499,52 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
2499	return SCTP_ERROR_NO_ERROR;	2499	return SCTP_ERROR_NO_ERROR;
2500	}	2500	}
2501		2501
		2502	/* Verify the ASCONF packet before we process it. */
		2503	int sctp_verify_asconf(const struct sctp_association *asoc,
		2504	struct sctp_paramhdr param_hdr, void chunk_end,
		2505	struct sctp_paramhdr **errp) {
		2506	sctp_addip_param_t *asconf_param;
		2507	union sctp_params param;
		2508	int length, plen;
		2509
		2510	param.v = (sctp_paramhdr_t *) param_hdr;
		2511	while (param.v <= chunk_end - sizeof(sctp_paramhdr_t)) {
		2512	length = ntohs(param.p->length);
		2513	*errp = param.p;
		2514
		2515	if (param.v > chunk_end - length \|\|
		2516	length < sizeof(sctp_paramhdr_t))
		2517	return 0;
		2518
		2519	switch (param.p->type) {
		2520	case SCTP_PARAM_ADD_IP:
		2521	case SCTP_PARAM_DEL_IP:
		2522	case SCTP_PARAM_SET_PRIMARY:
		2523	asconf_param = (sctp_addip_param_t *)param.v;
		2524	plen = ntohs(asconf_param->param_hdr.length);
		2525	if (plen < sizeof(sctp_addip_param_t) +
		2526	sizeof(sctp_paramhdr_t))
		2527	return 0;
		2528	break;
		2529	case SCTP_PARAM_SUCCESS_REPORT:
		2530	case SCTP_PARAM_ADAPTATION_LAYER_IND:
		2531	if (length != sizeof(sctp_addip_param_t))
		2532	return 0;
		2533
		2534	break;
		2535	default:
		2536	break;
		2537	}
		2538
		2539	param.v += WORD_ROUND(length);
		2540	}
		2541
		2542	if (param.v != chunk_end)
		2543	return 0;
		2544
		2545	return 1;
		2546	}
		2547
2502	/* Process an incoming ASCONF chunk with the next expected serial no. and	2548	/* Process an incoming ASCONF chunk with the next expected serial no. and
2503	* return an ASCONF_ACK chunk to be sent in response.	2549	* return an ASCONF_ACK chunk to be sent in response.
2504	*/	2550	*/