From a601266e4f3c479790f373c2e3122a766d123652 Mon Sep 17 00:00:00 2001 From: Vladislav Yasevich Date: Fri, 19 May 2006 14:25:53 -0700 Subject: [SCTP]: Validate the parameter length in HB-ACK chunk. If SCTP receives a badly formatted HB-ACK chunk, it is possible that we may access invalid memory and potentially have a buffer overflow. We should really make sure that the chunk format is what we expect, before attempting to touch the data. Signed-off-by: Vlad Yasevich Signed-off-by: Sridhar Samudrala --- net/sctp/sm_statefuns.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'net/sctp') diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 174f7a7c6cd..8bc279219a7 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -1019,6 +1019,12 @@ sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep, commands); hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; + /* Make sure that the length of the parameter is what we expect */ + if (ntohs(hbinfo->param_hdr.length) != + sizeof(sctp_sender_hb_info_t)) { + return SCTP_DISPOSITION_DISCARD; + } + from_addr = hbinfo->daddr; link = sctp_assoc_lookup_paddr(asoc, &from_addr); -- cgit v1.2.3