diff options
author | Vladislav Yasevich <vladislav.yasevich@hp.com> | 2006-05-19 14:25:53 -0700 |
---|---|---|
committer | Chris Wright <chrisw@sous-sol.org> | 2006-05-20 15:00:34 -0700 |
commit | 1a9807fd86f9a112a39720e99be4eeae7b4e3694 (patch) | |
tree | 441c5c7eeb5fbe0cdf44f41c3e85a2ec862949f9 | |
parent | 0eca2317be1345e056fb75d256099a04c97f7021 (diff) |
[PATCH] SCTP: Validate the parameter length in HB-ACK chunk (CVE-2006-1857)
If SCTP receives a badly formatted HB-ACK chunk, it is possible
that we may access invalid memory and potentially have a buffer
overflow. We should really make sure that the chunk format is
what we expect, before attempting to touch the data.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
-rw-r--r-- | net/sctp/sm_statefuns.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 8cdba51ec07..9395e098ae2 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -1030,6 +1030,12 @@ sctp_disposition_t sctp_sf_backbeat_8_3(const struct sctp_endpoint *ep, commands); hbinfo = (sctp_sender_hb_info_t *) chunk->skb->data; + /* Make sure that the length of the parameter is what we expect */ + if (ntohs(hbinfo->param_hdr.length) != + sizeof(sctp_sender_hb_info_t)) { + return SCTP_DISPOSITION_DISCARD; + } + from_addr = hbinfo->daddr; link = sctp_assoc_lookup_paddr(asoc, &from_addr); |