Commit a8feee2c authored by Jon Grimm's avatar Jon Grimm

[SCTP] Verify contents of SACK against underrun.

Verify that the counts for duptsns and gapacks can actually
fit in the skb so we won't underrun. 
parent 09593bb6
...@@ -2739,6 +2739,9 @@ sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep, ...@@ -2739,6 +2739,9 @@ sctp_disposition_t sctp_sf_eat_sack_6_2(const struct sctp_endpoint *ep,
/* Pull the SACK chunk from the data buffer */ /* Pull the SACK chunk from the data buffer */
sackh = sctp_sm_pull_sack(chunk); sackh = sctp_sm_pull_sack(chunk);
/* Was this a bogus SACK? */
if (!sackh)
return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
chunk->subh.sack_hdr = sackh; chunk->subh.sack_hdr = sackh;
ctsn = ntohl(sackh->cum_tsn_ack); ctsn = ntohl(sackh->cum_tsn_ack);
...@@ -4405,22 +4408,27 @@ sctp_disposition_t sctp_sf_timer_ignore(const struct sctp_endpoint *ep, ...@@ -4405,22 +4408,27 @@ sctp_disposition_t sctp_sf_timer_ignore(const struct sctp_endpoint *ep,
********************************************************************/ ********************************************************************/
/* Pull the SACK chunk based on the SACK header. */ /* Pull the SACK chunk based on the SACK header. */
sctp_sackhdr_t *sctp_sm_pull_sack(struct sctp_chunk *chunk) struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk)
{ {
sctp_sackhdr_t *sack; struct sctp_sackhdr *sack;
unsigned int len;
__u16 num_blocks; __u16 num_blocks;
__u16 num_dup_tsns; __u16 num_dup_tsns;
/* FIXME: Protect ourselves from reading too far into /* Protect ourselves from reading too far into
* the skb from a bogus sender. * the skb from a bogus sender.
*/ */
sack = (sctp_sackhdr_t *) chunk->skb->data; sack = (struct sctp_sackhdr *) chunk->skb->data;
skb_pull(chunk->skb, sizeof(sctp_sackhdr_t));
num_blocks = ntohs(sack->num_gap_ack_blocks); num_blocks = ntohs(sack->num_gap_ack_blocks);
num_dup_tsns = ntohs(sack->num_dup_tsns); num_dup_tsns = ntohs(sack->num_dup_tsns);
len = sizeof(struct sctp_sackhdr);
len = (num_blocks + num_dup_tsns) * sizeof(__u32);
if (len > chunk->skb->len)
return NULL;
skb_pull(chunk->skb, len);
skb_pull(chunk->skb, (num_blocks + num_dup_tsns) * sizeof(__u32));
return sack; return sack;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment