* sctp: Avoid memory overflow while FWD-TSN chunk is received with
@ 2008-11-24 5:51 Wei Yongjun
2008-11-24 13:25 ` Vlad Yasevich
0 siblings, 1 reply; 2+ messages in thread
From: Wei Yongjun @ 2008-11-24 5:51 UTC (permalink / raw)
To: linux-sctp
If FWD-TSN chunk is received with bad stream ID, the sctp will not do the
validity check, this may cause memory overflow when overwrite the TSN of
the stream ID.
The FORWARD-TSN chunk is like this:
FORWARD-TSN chunk
Type = 192
Flags = 0
Length = 172
NewTSN = 99
Stream = 10000
StreamSequence = 0xFFFF
This patch fix this problem by skip the stream ID which not less than MIS.
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
---
net/sctp/ulpqueue.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/net/sctp/ulpqueue.c b/net/sctp/ulpqueue.c
index 7b23803..dacdc3b 100644
--- a/net/sctp/ulpqueue.c
+++ b/net/sctp/ulpqueue.c
@@ -940,7 +940,10 @@ void sctp_ulpq_skip(struct sctp_ulpq *ulpq, __u16 sid, __u16 ssn)
{
struct sctp_stream *in;
- /* Note: The stream ID must be verified before this routine. */
+ /* Skip the stream ID which larger than MIS */
+ if (sid >= ulpq->asoc->c.sinit_max_instreams)
+ return;
+
in = &ulpq->asoc->ssnmap->in;
/* Is this an old SSN? If so ignore. */
--
1.6.0.2.530.g67faa
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: sctp: Avoid memory overflow while FWD-TSN chunk is received with
2008-11-24 5:51 sctp: Avoid memory overflow while FWD-TSN chunk is received with Wei Yongjun
@ 2008-11-24 13:25 ` Vlad Yasevich
0 siblings, 0 replies; 2+ messages in thread
From: Vlad Yasevich @ 2008-11-24 13:25 UTC (permalink / raw)
To: linux-sctp
Wei Yongjun wrote:
> If FWD-TSN chunk is received with bad stream ID, the sctp will not do the
> validity check, this may cause memory overflow when overwrite the TSN of
> the stream ID.
>
> The FORWARD-TSN chunk is like this:
>
> FORWARD-TSN chunk
> Type = 192
> Flags = 0
> Length = 172
> NewTSN = 99
> Stream = 10000
> StreamSequence = 0xFFFF
>
> This patch fix this problem by skip the stream ID which not less than MIS.
>
> Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
> ---
> net/sctp/ulpqueue.c | 5 ++++-
> 1 files changed, 4 insertions(+), 1 deletions(-)
>
> diff --git a/net/sctp/ulpqueue.c b/net/sctp/ulpqueue.c
> index 7b23803..dacdc3b 100644
> --- a/net/sctp/ulpqueue.c
> +++ b/net/sctp/ulpqueue.c
> @@ -940,7 +940,10 @@ void sctp_ulpq_skip(struct sctp_ulpq *ulpq, __u16 sid, __u16 ssn)
> {
> struct sctp_stream *in;
>
> - /* Note: The stream ID must be verified before this routine. */
> + /* Skip the stream ID which larger than MIS */
> + if (sid >= ulpq->asoc->c.sinit_max_instreams)
> + return;
> +
> in = &ulpq->asoc->ssnmap->in;
>
> /* Is this an old SSN? If so ignore. */
Yes, this check is needed, but this is the wrong place. Should we really
process the FWD-TSN if the stream-id is invalid? My opinion would be NO.
So, the check and stream-id walk is really needed in sctp_sf_eat_fwd_tsn()
and sctp_sf_eat_fwd_tsn_fast() and we can simply discard the chunk treating
it just like if the TSN is invalid.
-vlad
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-11-24 13:25 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-24 5:51 sctp: Avoid memory overflow while FWD-TSN chunk is received with Wei Yongjun
2008-11-24 13:25 ` Vlad Yasevich
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.