path: root/net/sctp/sm_make_chunk.c
diff options
authorXin Long <lucien.xin@gmail.com>2017-11-15 17:00:11 +0800
committerDavid S. Miller <davem@davemloft.net>2017-11-16 10:49:00 +0900
commit423852f89034492cc40920c00908f6de7d2dbe4f (patch)
tree85760f49fd0d9e0965e4c41b8159bc25c20a9f63 /net/sctp/sm_make_chunk.c
parentsctp: use the right sk after waking up from wait_buf sleep (diff)
sctp: check stream reset info len before making reconf chunk
Now when resetting stream, if both in and out flags are set, the info len can reach: sizeof(struct sctp_strreset_outreq) + SCTP_MAX_STREAM(65535) + sizeof(struct sctp_strreset_inreq) + SCTP_MAX_STREAM(65535) even without duplicated stream no, this value is far greater than the chunk's max size. _sctp_make_chunk doesn't do any check for this, which would cause the skb it allocs is huge, syzbot even reported a crash due to this. This patch is to check stream reset info len before making reconf chunk and return EINVAL if the len exceeds chunk's capacity. Thanks Marcelo and Neil for making this clear. v1->v2: - move the check into sctp_send_reset_streams instead. Fixes: cc16f00f6529 ("sctp: add support for generating stream reconf ssn reset request chunk") Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sctp/sm_make_chunk.c')
1 files changed, 1 insertions, 1 deletions
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 514465b03829..9bf575f2e8ed 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -3594,8 +3594,8 @@ struct sctp_chunk *sctp_make_strreset_req(
__u16 stream_num, __be16 *stream_list,
bool out, bool in)
+ __u16 stream_len = stream_num * sizeof(__u16);
struct sctp_strreset_outreq outreq;
- __u16 stream_len = stream_num * 2;
struct sctp_strreset_inreq inreq;
struct sctp_chunk *retval;
__u16 outlen, inlen;