Commit 6b84202c authored by Xin Long's avatar Xin Long Committed by David S. Miller
Browse files

sctp: fix the check for _sctp_walk_params and _sctp_walk_errors 



Commit b1f5bfc2 ("sctp: don't dereference ptr before leaving
_sctp_walk_{params, errors}()") tried to fix the issue that it
may overstep the chunk end for _sctp_walk_{params, errors} with
'chunk_end > offset(length) + sizeof(length)'.

But it introduced a side effect: When processing INIT, it verifies
the chunks with 'param.v == chunk_end' after iterating all params
by sctp_walk_params(). With the check 'chunk_end > offset(length)
+ sizeof(length)', it would return when the last param is not yet
accessed. Because the last param usually is fwdtsn supported param
whose size is 4 and 'chunk_end == offset(length) + sizeof(length)'

This is a badly issue even causing sctp couldn't process 4-shakes.
Client would always get abort when connecting to server, due to
the failure of INIT chunk verification on server.

The patch is to use 'chunk_end <= offset(length) + sizeof(length)'
instead of 'chunk_end < offset(length) + sizeof(length)' for both
_sctp_walk_params and _sctp_walk_errors.

Fixes: b1f5bfc2 ("sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()")
Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent e90ce2fc

include/net/sctp/sctp.h

+2 −2
Original line number Diff line number Diff line
@@ -469,7 +469,7 @@ _sctp_walk_params((pos), (chunk), ntohs((chunk)->chunk_hdr.length), member) 


#define _sctp_walk_params(pos, chunk, end, member)\

for (pos.v = chunk->member;\

     (pos.v + offsetof(struct sctp_paramhdr, length) + sizeof(pos.p->length) <\

     (pos.v + offsetof(struct sctp_paramhdr, length) + sizeof(pos.p->length) <=\

      (void *)chunk + end) &&\

     pos.v <= (void *)chunk + end - ntohs(pos.p->length) &&\

     ntohs(pos.p->length) >= sizeof(struct sctp_paramhdr);\
@@ -481,7 +481,7 @@ _sctp_walk_errors((err), (chunk_hdr), ntohs((chunk_hdr)->length)) 
#define _sctp_walk_errors(err, chunk_hdr, end)\

for (err = (sctp_errhdr_t *)((void *)chunk_hdr + \

	    sizeof(struct sctp_chunkhdr));\

     ((void *)err + offsetof(sctp_errhdr_t, length) + sizeof(err->length) <\

     ((void *)err + offsetof(sctp_errhdr_t, length) + sizeof(err->length) <=\

      (void *)chunk_hdr + end) &&\

     (void *)err <= (void *)chunk_hdr + end - ntohs(err->length) &&\

     ntohs(err->length) >= sizeof(sctp_errhdr_t); \

CRA Git | Maintained and supported by SUSTech CRA and CCSE