From: Alexey Kodanev <alexey.koda...@oracle.com> Date: Fri, 9 Feb 2018 17:35:23 +0300
> When SCTP makes INIT or INIT_ACK packet the total chunk length > can exceed SCTP_MAX_CHUNK_LEN which leads to kernel panic when > transmitting these packets, e.g. the crash on sending INIT_ACK: ... > Here the chunk size for INIT_ACK packet becomes too big, mostly > because of the state cookie (INIT packet has large size with > many address parameters), plus additional server parameters. > > Later this chunk causes the panic in skb_put_data(): > > skb_packet_transmit() > sctp_packet_pack() > skb_put_data(nskb, chunk->skb->data, chunk->skb->len); > > 'nskb' (head skb) was previously allocated with packet->size > from u16 'chunk->chunk_hdr->length'. > > As suggested by Marcelo we should check the chunk's length in > _sctp_make_chunk() before trying to allocate skb for it and > discard a chunk if its size bigger than SCTP_MAX_CHUNK_LEN. > > Signed-off-by: Alexey Kodanev <alexey.koda...@oracle.com> Applied and queued up for -stable, thanks.
