[patch 03/40] sctp: Avoid memory overflow while FWD-TSN chunk isreceived with bad stream ID

From: Greg KH
Date: Fri Jan 23 2009 - 01:17:27 EST

Next message: Greg KH: "[patch 04/40] pkt_sched: cls_u32: Fix locking in u32_change()"
Previous message: Greg KH: "[patch 02/40] ipv6: Fix fib6_dump_table walker leak"
In reply to: Greg KH: "[patch 02/40] ipv6: Fix fib6_dump_table walker leak"
Next in thread: Greg KH: "[patch 04/40] pkt_sched: cls_u32: Fix locking in u32_change()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2.6.27-stable review patch. If anyone has any objections, please let us know.

------------------

From: Wei Yongjun <yjwei@xxxxxxxxxxxxxx>

[ Upstream commit: 9fcb95a105758b81ef0131cd18e2db5149f13e95 ]

If FWD-TSN chunk is received with bad stream ID, the sctp will not do the
validity check, this may cause memory overflow when overwrite the TSN of
the stream ID.

The FORWARD-TSN chunk is like this:

FORWARD-TSN chunk
Type = 192
Flags = 0
Length = 172
NewTSN = 99
Stream = 10000
StreamSequence = 0xFFFF

This patch fix this problem by discard the chunk if stream ID is not
less than MIS.

Signed-off-by: Wei Yongjun <yjwei@xxxxxxxxxxxxxx>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@xxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
net/sctp/sm_statefuns.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)

--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -3635,6 +3635,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
{
struct sctp_chunk *chunk = arg;
struct sctp_fwdtsn_hdr *fwdtsn_hdr;
+ struct sctp_fwdtsn_skip *skip;
__u16 len;
__u32 tsn;

@@ -3664,6 +3665,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
goto discard_noforce;

+ /* Silently discard the chunk if stream-id is not valid */
+ sctp_walk_fwdtsn(skip, chunk) {
+ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
+ goto discard_noforce;
+ }
+
sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
if (len > sizeof(struct sctp_fwdtsn_hdr))
sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
@@ -3695,6 +3702,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
{
struct sctp_chunk *chunk = arg;
struct sctp_fwdtsn_hdr *fwdtsn_hdr;
+ struct sctp_fwdtsn_skip *skip;
__u16 len;
__u32 tsn;

@@ -3724,6 +3732,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
goto gen_shutdown;

+ /* Silently discard the chunk if stream-id is not valid */
+ sctp_walk_fwdtsn(skip, chunk) {
+ if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
+ goto gen_shutdown;
+ }
+
sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
if (len > sizeof(struct sctp_fwdtsn_hdr))
sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "[patch 04/40] pkt_sched: cls_u32: Fix locking in u32_change()"
Previous message: Greg KH: "[patch 02/40] ipv6: Fix fib6_dump_table walker leak"
In reply to: Greg KH: "[patch 02/40] ipv6: Fix fib6_dump_table walker leak"
Next in thread: Greg KH: "[patch 04/40] pkt_sched: cls_u32: Fix locking in u32_change()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]