git.baikalelectronics.ru Git - kernel.git/commit

author	Xin Long <lucien.xin@gmail.com>
	Wed, 15 Nov 2017 09:00:11 +0000 (17:00 +0800)
committer	David S. Miller <davem@davemloft.net>
	Thu, 16 Nov 2017 01:49:00 +0000 (10:49 +0900)
commit	5a7ce217fa2990d42b2bb251b7144a4dffe77f13
tree	85760f49fd0d9e0965e4c41b8159bc25c20a9f63	tree \| snapshot
parent	6d764aa80ed84760c4b171653d0fb0d334ade232	commit \| diff

sctp: check stream reset info len before making reconf chunk

Now when resetting stream, if both in and out flags are set, the info
len can reach:
  sizeof(struct sctp_strreset_outreq) + SCTP_MAX_STREAM(65535) +
  sizeof(struct sctp_strreset_inreq)  + SCTP_MAX_STREAM(65535)
even without duplicated stream no, this value is far greater than the
chunk's max size.

_sctp_make_chunk doesn't do any check for this, which would cause the
skb it allocs is huge, syzbot even reported a crash due to this.

This patch is to check stream reset info len before making reconf
chunk and return EINVAL if the len exceeds chunk's capacity.

Thanks Marcelo and Neil for making this clear.

v1->v2:
  - move the check into sctp_send_reset_streams instead.

Fixes: 90b053c76600 ("sctp: add support for generating stream reconf ssn reset request chunk")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/sctp/sm_make_chunk.c		diff \| blob \| history
net/sctp/stream.c		diff \| blob \| history