Gitweb:
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a09c83847b664dcd67a72613374061c900afb799
Commit: a09c83847b664dcd67a72613374061c900afb799
Parent: ca9938fea576ebbb8d8c4fbe8a5bcc937e49e1ca
Author: Vlad Yasevich <[EMAIL PROTECTED]>
AuthorDate: Wed Sep 5 15:53:58 2007 -0400
Committer: David S. Miller <[EMAIL PROTECTED]>
CommitDate: Tue Sep 25 22:55:45 2007 -0700
SCTP: Validate buffer room when processing sequential chunks
When we process bundled chunks, we need to make sure that
the skb has the buffer for each header since we assume it's
always there. Some malicious node can send us something like
DATA + 2 bytes and we'll try to walk off the end refrencing
potentially uninitialized memory.
Signed-off-by: Vlad Yasevich <[EMAIL PROTECTED]>
---
net/sctp/inqueue.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
index 88aa224..e4ea7fd 100644
--- a/net/sctp/inqueue.c
+++ b/net/sctp/inqueue.c
@@ -130,6 +130,14 @@ struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
/* Force chunk->skb->data to chunk->chunk_end. */
skb_pull(chunk->skb,
chunk->chunk_end - chunk->skb->data);
+
+ /* Verify that we have at least chunk headers
+ * worth of buffer left.
+ */
+ if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) {
+ sctp_chunk_free(chunk);
+ chunk = queue->in_progress = NULL;
+ }
}
}
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
