Re: [PATCH net] sctp: fix SCTP_RESET_STREAMS stream list length limit

Next message: George Moussalem via B4 Relay: "[PATCH 0/6] Add support for IPQ5018 Bluetooth"
Previous message: Arnd Bergmann: "Re: [PATCH 2/3] mtd: maps: remove uclinux map driver"
In reply to: Yousef Alhouseen: "[PATCH net] sctp: fix SCTP_RESET_STREAMS stream list length limit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Xin Long

Date: Thu Jun 25 2026 - 10:19:15 EST

On Wed, Jun 24, 2026 at 8:22 AM Yousef Alhouseen
<alhouseenyousef@xxxxxxxxx> wrote:
>
> SCTP_RESET_STREAMS carries a flexible array of u16 stream IDs, but the
> optlen clamps treat USHRT_MAX as a byte count and then multiply
> sizeof(__u16) by the fixed header size.
>
> That caps the copied and validated option buffer at about 64 KiB, which
> rejects valid requests containing more than about half of the u16 stream
> ID range.
>
> Use struct_size_t() for the maximum struct sctp_reset_streams layout
> instead, so the bound matches the flexible array described by
> srs_number_streams.
>
> Signed-off-by: Yousef Alhouseen <alhouseenyousef@xxxxxxxxx>

Fixes: 5960cefab9df ("sctp: add a ceiling to optlen in some sockopts")
Acked-by: Xin Long <lucien.xin@xxxxxxxxx>