2 files changed, 11 insertions, 4 deletions

diff --git a/net/sctp/input.c b/net/sctp/input.c
index 71fd56375641..cb78b50868ee 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -588,10 +588,16 @@ int sctp_rcv_ootb(struct sk_buff *skb)
         sctp_errhdr_t *err;
 
         ch = (sctp_chunkhdr_t *) skb->data;
-        ch_end = ((__u8 *) ch) + WORD_ROUND(ntohs(ch->length));
 
         /* Scan through all the chunks in the packet.  */
-        while (ch_end > (__u8 *)ch && ch_end < skb->tail) {
+        do {
+                /* Break out if chunk length is less then minimal. */
+                if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t))
+                        break;
+
+                ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
+                if (ch_end > skb->tail)
+                        break;
 
                 /* RFC 8.4, 2) If the OOTB packet contains an ABORT chunk, the
                  * receiver MUST silently discard the OOTB packet and take no
@@ -622,8 +628,7 @@ int sctp_rcv_ootb(struct sk_buff *skb)
                 }
 
                 ch = (sctp_chunkhdr_t *) ch_end;
-                ch_end = ((__u8 *) ch) + WORD_ROUND(ntohs(ch->length));
-        }
+        } while (ch_end < skb->tail);
 
         return 0;
 
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 477d7f80dba6..71c9a961c321 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -3090,6 +3090,8 @@ sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
                         break;
 
                 ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
+                if (ch_end > skb->tail)
+                        break;
 
                 if (SCTP_CID_SHUTDOWN_ACK == ch->type)
                         ootb_shut_ack = 1;