Thanks for looking into it. I can try with your patch, but no
guarantees that the fuzzer will hit the same condition in some
reasonable time-frame. Will get back in some time with results.
PS. If you think it's possible to create a repro (userland code) which
can trigger this, I can give it a try.
2014-12-01 18:36 GMT+01:00 Daniel Borkmann <dborkman@xxxxxxxxxx>:--
On 12/01/2014 05:49 PM, Robert ÅwiÄcki wrote:
I don't have much more, cause my kernel is kASLRNized and gdb cannot
handle that, but pasting output from kdb. Maybe somebody will be able
to see something obvious.
<0>[93699.703244] skbuff: skb_under_panic: text:ffffffff83cff03e
len:104 put:56 head:ffff8803bd804ec0 data:ffff8803bd804ebc tail:0x64
Thanks for the report!
On a first view, it looks like we should be using MAX_HEADER instead
of LL_MAX_HEADER here, could you try with the following patch:
diff --git a/net/sctp/output.c b/net/sctp/output.c
index 42dffd4..fc5e45b 100644
@@ -401,12 +401,12 @@ int sctp_packet_transmit(struct sctp_packet *packet)
sk = chunk->skb->sk;
/* Allocate the new skb. */
- nskb = alloc_skb(packet->size + LL_MAX_HEADER, GFP_ATOMIC);
+ nskb = alloc_skb(packet->size + MAX_HEADER, GFP_ATOMIC);
/* Make sure the outbound skb has enough header room reserved. */
- skb_reserve(nskb, packet->overhead + LL_MAX_HEADER);
+ skb_reserve(nskb, packet->overhead + MAX_HEADER);
/* Set the owning socket so that we know where to get the
* destination IP address.