sctp: add size validation when walking chunks

marceloleitner · davem330 · commit 50619dbf8db7 · 2021-06-28T15:34:50.000-07:00
The first chunk in a packet is ensured to be present at the beginning of
sctp_rcv(), as a packet needs to have at least 1 chunk. But the second
one, may not be completely available and ch-&gt;length can be over
uninitialized memory.

Fix here is by only trying to walk on the next chunk if there is enough to
hold at least the header, and then proceed with the ch-&gt;length validation
that is already there.

Reported-by: Ilja Van Sprundel &lt;ivansprundel@ioactive.com&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
diff --git a/net/sctp/input.c b/net/sctp/input.c
@@ -1247,7 +1247,7 @@ static struct sctp_association *__sctp_rcv_walk_lookup(struct net *net,
 
 		ch = (struct sctp_chunkhdr *)ch_end;
 		chunk_num++;
-	} while (ch_end < skb_tail_pointer(skb));
+	} while (ch_end + sizeof(*ch) < skb_tail_pointer(skb));
 
 	return asoc;
 }

Original file line number	Diff line number	Diff line change
`@@ -1247,7 +1247,7 @@ static struct sctp_association __sctp_rcv_walk_lookup(struct net net,`
`1247`	`1247`
`1248`	`1248`	`ch = (struct sctp_chunkhdr *)ch_end;`
`1249`	`1249`	`chunk_num++;`
`1250`		`- } while (ch_end < skb_tail_pointer(skb));`
	`1250`	`+ } while (ch_end + sizeof(*ch) < skb_tail_pointer(skb));`
`1251`	`1251`
`1252`	`1252`	`return asoc;`
`1253`	`1253`	`}`