sctp: frag_point sanity check If for some reason an association's fragmentation point is zero, sctp_datamsg_from_user will try to endlessly try to divide a message into zero-sized chunks. This eventually causes kernel panic due to running out of memory. Although this situation is quite unlikely, it has occurred before as reported. I propose to add this simple last-ditch sanity check due to the severity of the potential consequences. Signed-off-by: Jakub Audykowicz <jakub.audykowicz@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: afd0a8006e98b1890908f81746c94ca5dae29d7c [log] [tgz]
author: Jakub Audykowicz <jakub.audykowicz@gmail.com> Tue Dec 04 20:27:41 2018 +0100
committer: David S. Miller <davem@davemloft.net> Wed Dec 05 20:37:52 2018 -0800
tree: 22a7070a7d5b13891bc65368b42bcb18cc56d6f1
parent: b2b7af861122a0c0f6260155c29a1b2e594cd5b5 [diff] [blame]
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index bf618d1..b8cebd5 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c

@@ -3324,8 +3324,7 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char __user *optval, unsigned
 		__u16 datasize = asoc ? sctp_datachk_len(&asoc->stream) :
 				 sizeof(struct sctp_data_chunk);
 
-		min_len = sctp_mtu_payload(sp, SCTP_DEFAULT_MINSEGMENT,
-					   datasize);
+		min_len = sctp_min_frag_point(sp, datasize);
 		max_len = SCTP_MAX_CHUNK_LEN - datasize;
 
 		if (val < min_len || val > max_len)
commit	afd0a8006e98b1890908f81746c94ca5dae29d7c	[log] [tgz]
author	Jakub Audykowicz <jakub.audykowicz@gmail.com>	Tue Dec 04 20:27:41 2018 +0100
committer	David S. Miller <davem@davemloft.net>	Wed Dec 05 20:37:52 2018 -0800
tree	22a7070a7d5b13891bc65368b42bcb18cc56d6f1
parent	b2b7af861122a0c0f6260155c29a1b2e594cd5b5 [diff] [blame]