mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-27 12:57:53 +00:00
sctp: fix a potential overflow in sctp_ifwdtsn_skip
[ Upstream commit32832a2caf
] Currently, when traversing ifwdtsn skips with _sctp_walk_ifwdtsn, it only checks the pos against the end of the chunk. However, the data left for the last pos may be < sizeof(struct sctp_ifwdtsn_skip), and dereference it as struct sctp_ifwdtsn_skip may cause coverflow. This patch fixes it by checking the pos against "the end of the chunk - sizeof(struct sctp_ifwdtsn_skip)" in sctp_ifwdtsn_skip, similar to sctp_fwdtsn_skip. Fixes:0fc2ea922c
("sctp: implement validate_ftsn for sctp_stream_interleave") Signed-off-by: Xin Long <lucien.xin@gmail.com> Link: https://lore.kernel.org/r/2a71bffcd80b4f2c61fac6d344bb2f11c8fd74f7.1681155810.git.lucien.xin@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
parent
8c9ce34a6f
commit
ad988e9b5f
1 changed files with 2 additions and 1 deletions
|
@ -1154,7 +1154,8 @@ static void sctp_generate_iftsn(struct sctp_outq *q, __u32 ctsn)
|
|||
|
||||
#define _sctp_walk_ifwdtsn(pos, chunk, end) \
|
||||
for (pos = chunk->subh.ifwdtsn_hdr->skip; \
|
||||
(void *)pos < (void *)chunk->subh.ifwdtsn_hdr->skip + (end); pos++)
|
||||
(void *)pos <= (void *)chunk->subh.ifwdtsn_hdr->skip + (end) - \
|
||||
sizeof(struct sctp_ifwdtsn_skip); pos++)
|
||||
|
||||
#define sctp_walk_ifwdtsn(pos, ch) \
|
||||
_sctp_walk_ifwdtsn((pos), (ch), ntohs((ch)->chunk_hdr->length) - \
|
||||
|
|
Loading…
Reference in a new issue