From: Alexey Kodanev <alexey.koda...@oracle.com>
Date: Fri, 9 Feb 2018 17:35:23 +0300
> When SCTP makes INIT or INIT_ACK packet the total chunk length
> can exceed SCTP_MAX_CHUNK_LEN which leads to kernel panic when
> transmitting these packets, e.g. the crash on sending INIT_ACK:
> Here the chunk size for INIT_ACK packet becomes too big, mostly
> because of the state cookie (INIT packet has large size with
> many address parameters), plus additional server parameters.
> Later this chunk causes the panic in skb_put_data():
> skb_put_data(nskb, chunk->skb->data, chunk->skb->len);
> 'nskb' (head skb) was previously allocated with packet->size
> from u16 'chunk->chunk_hdr->length'.
> As suggested by Marcelo we should check the chunk's length in
> _sctp_make_chunk() before trying to allocate skb for it and
> discard a chunk if its size bigger than SCTP_MAX_CHUNK_LEN.
> Signed-off-by: Alexey Kodanev <alexey.koda...@oracle.com>
Applied and queued up for -stable, thanks.