* [PATCH net-next v4] sctp: fix a potential OOB access in sctp_sched_set_sched()
@ 2023-05-10 9:23 Gavrilov Ilia
2023-05-10 11:20 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Gavrilov Ilia @ 2023-05-10 9:23 UTC (permalink / raw)
To: Neil Horman
Cc: Gavrilov Ilia, Simon Horman, Marcelo Ricardo Leitner, Xin Long,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
linux-sctp@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org
From: "Ilia.Gavrilov" <Ilia.Gavrilov@infotecs.ru>
The 'sched' index value must be checked before accessing an element
of the 'sctp_sched_ops' array. Otherwise, it can lead to OOB access.
Note that it's harmless since the 'sched' parameter is checked before
calling 'sctp_sched_set_sched'.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
---
V4:
- revert to V2
- repost according to
https://lore.kernel.org/all/20230503184928.458eb0da@kernel.org/
V3:
- Change description
- Remove 'fixes'
V2:
- Change the order of local variables
- Specify the target tree in the subject
net/sctp/stream_sched.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c
index 330067002deb..4d076a9b8592 100644
--- a/net/sctp/stream_sched.c
+++ b/net/sctp/stream_sched.c
@@ -146,18 +146,19 @@ static void sctp_sched_free_sched(struct sctp_stream *stream)
int sctp_sched_set_sched(struct sctp_association *asoc,
enum sctp_sched_type sched)
{
- struct sctp_sched_ops *n = sctp_sched_ops[sched];
struct sctp_sched_ops *old = asoc->outqueue.sched;
struct sctp_datamsg *msg = NULL;
+ struct sctp_sched_ops *n;
struct sctp_chunk *ch;
int i, ret = 0;
- if (old == n)
- return ret;
-
if (sched > SCTP_SS_MAX)
return -EINVAL;
+ n = sctp_sched_ops[sched];
+ if (old == n)
+ return ret;
+
if (old)
sctp_sched_free_sched(&asoc->stream);
--
2.30.2
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH net-next v4] sctp: fix a potential OOB access in sctp_sched_set_sched()
2023-05-10 9:23 [PATCH net-next v4] sctp: fix a potential OOB access in sctp_sched_set_sched() Gavrilov Ilia
@ 2023-05-10 11:20 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2023-05-10 11:20 UTC (permalink / raw)
To: Gavrilov Ilia
Cc: nhorman, simon.horman, marcelo.leitner, lucien.xin, davem,
edumazet, kuba, pabeni, linux-sctp, netdev, linux-kernel,
lvc-project
Hello:
This patch was applied to netdev/net-next.git (main)
by David S. Miller <davem@davemloft.net>:
On Wed, 10 May 2023 09:23:40 +0000 you wrote:
> From: "Ilia.Gavrilov" <Ilia.Gavrilov@infotecs.ru>
>
> The 'sched' index value must be checked before accessing an element
> of the 'sctp_sched_ops' array. Otherwise, it can lead to OOB access.
>
> Note that it's harmless since the 'sched' parameter is checked before
> calling 'sctp_sched_set_sched'.
>
> [...]
Here is the summary with links:
- [net-next,v4] sctp: fix a potential OOB access in sctp_sched_set_sched()
https://git.kernel.org/netdev/net-next/c/059fa492027e
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-05-10 11:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-05-10 9:23 [PATCH net-next v4] sctp: fix a potential OOB access in sctp_sched_set_sched() Gavrilov Ilia
2023-05-10 11:20 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox