linux/net/sctp
Marcelo Ricardo Leitner bf911e985d sctp: validate chunk len before actually using it
Andrey Konovalov reported that KASAN detected that SCTP was using a slab
beyond the boundaries. It was caused because when handling out of the
blue packets in function sctp_sf_ootb() it was checking the chunk len
only after already processing the first chunk, validating only for the
2nd and subsequent ones.

The fix is to just move the check upwards so it's also validated for the
1st chunk.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-10-29 12:00:10 -04:00
..
Kconfig sctp: add the sctp_diag.c file 2016-04-15 17:29:36 -04:00
Makefile sctp: Add GSO support 2016-06-03 19:37:21 -04:00
associola.c sctp: rename WORD_TRUNC/ROUND macros 2016-09-22 03:13:26 -04:00
auth.c sctp: use IS_ENABLED() instead of checking for built-in or module 2016-09-10 21:19:11 -07:00
bind_addr.c sctp: fix copying more bytes than expected in sctp_add_bind_addr 2016-03-08 15:04:08 -05:00
chunk.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-10-02 22:20:41 -04:00
debug.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
endpointola.c sctp: add SCTP_PR_SUPPORTED on sctp sockopt 2016-07-11 13:25:38 -07:00
input.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-09-23 06:46:57 -04:00
inqueue.c sctp: rename WORD_TRUNC/ROUND macros 2016-09-22 03:13:26 -04:00
ipv6.c sctp: use inet_recvmsg to support sctp RFS well 2016-07-25 10:56:28 -07:00
objcnt.c sctp: fix checkpatch errors with (foo*)|foo * bar|foo* bar 2013-12-26 13:47:47 -05:00
offload.c sctp: fix GSO for IPv6 2016-07-16 22:02:09 -07:00
output.c sctp: fix the panic caused by route update 2016-10-26 17:32:19 -04:00
outqueue.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-10-02 22:20:41 -04:00
primitive.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
probe.c net: sctp: Convert log timestamps to be y2038 safe 2016-03-01 17:18:44 -05:00
proc.c net: Suppress the "Comparison to NULL could be written" warnings 2016-09-30 01:50:45 -04:00
protocol.c sctp: use inet_recvmsg to support sctp RFS well 2016-07-25 10:56:28 -07:00
sctp_diag.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-10-02 22:20:41 -04:00
sm_make_chunk.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-10-02 22:20:41 -04:00
sm_sideeffect.c sctp: make sctp_outq_flush/tail/uncork return void 2016-09-18 22:02:33 -04:00
sm_statefuns.c sctp: validate chunk len before actually using it 2016-10-29 12:00:10 -04:00
sm_statetable.c sctp: fix checkpatch errors with indent 2013-12-26 13:47:48 -05:00
socket.c net: sctp, forbid negative length 2016-10-23 17:43:15 -04:00
ssnmap.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
sysctl.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-01-11 23:55:43 -05:00
transport.c sctp: rename WORD_TRUNC/ROUND macros 2016-09-22 03:13:26 -04:00
tsnmap.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
ulpevent.c sctp: rename WORD_TRUNC/ROUND macros 2016-09-22 03:13:26 -04:00
ulpqueue.c sctp: Remove some redundant code 2016-09-19 01:34:01 -04:00