[PATCH 3/3] sctp: check invalid value of length parameter in error

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH 3/3] sctp: check invalid value of length parameter in error
@ 2010-05-12  9:30 Shan Wei
  2010-05-13 13:24 ` [PATCH 3/3] sctp: check invalid value of length parameter in Wei Yongjun
  0 siblings, 1 reply; 2+ messages in thread
From: Shan Wei @ 2010-05-12  9:30 UTC (permalink / raw)
  To: linux-sctp


RFC4960, section 3.3.7 said:
 If an endpoint receives an ABORT with a format error or no TCB is
 found, it MUST silently discard it.

When an endpoint receives ABORT that parameter value is invalid,
drop it.

Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
---
 net/sctp/sm_statefuns.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 32e75ea..0d2e62f 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -2423,8 +2423,15 @@ static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
 
 	/* See if we have an error cause code in the chunk.  */
 	len = ntohs(chunk->chunk_hdr->length);
-	if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
+	if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) {
+
+		sctp_errhdr_t *err;
+		sctp_walk_errors(err, chunk->chunk_hdr);
+		if ((void *)err != (void *)chunk->chunk_hdr + len)
+			return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
+
 		error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
+	}
 
 	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
 	/* ASSOC_FAILED will DELETE_TCB. */
-- 
1.6.3.3

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH 3/3] sctp: check invalid value of length parameter in
  2010-05-12  9:30 [PATCH 3/3] sctp: check invalid value of length parameter in error Shan Wei
@ 2010-05-13 13:24 ` Wei Yongjun
  0 siblings, 0 replies; 2+ messages in thread
From: Wei Yongjun @ 2010-05-13 13:24 UTC (permalink / raw)
  To: linux-sctp


> RFC4960, section 3.3.7 said:
>   If an endpoint receives an ABORT with a format error or no TCB is
>   found, it MUST silently discard it.
>
> When an endpoint receives ABORT that parameter value is invalid,
> drop it.
>
> Signed-off-by: Shan Wei<shanwei@cn.fujitsu.com>
> ---
>   net/sctp/sm_statefuns.c |    9 ++++++++-
>   1 files changed, 8 insertions(+), 1 deletions(-)
>
> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> index 32e75ea..0d2e62f 100644
> --- a/net/sctp/sm_statefuns.c
> +++ b/net/sctp/sm_statefuns.c
> @@ -2423,8 +2423,15 @@ static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
>
>   	/* See if we have an error cause code in the chunk.  */
>   	len = ntohs(chunk->chunk_hdr->length);
> -	if (len>= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
> +	if (len>= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) {
> +
> +		sctp_errhdr_t *err;
> +		sctp_walk_errors(err, chunk->chunk_hdr);
> +		if ((void *)err != (void *)chunk->chunk_hdr + len)
>    

As Vlad said, use "if ((void*)err != (void*)chunk->chunk_end)" instead.

> +			return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
> +
>   		error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
> +	}
>
>   	sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
>   	/* ASSOC_FAILED will DELETE_TCB. */
>    


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2010-05-13 13:24 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-05-12  9:30 [PATCH 3/3] sctp: check invalid value of length parameter in error Shan Wei
2010-05-13 13:24 ` [PATCH 3/3] sctp: check invalid value of length parameter in Wei Yongjun

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.