Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / dac164193b98a5ab6150458f91dd68c2051e7218
commitdac164193b98a5ab6150458f91dd68c2051e7218[log] [tgz]
authorMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>Tue Oct 25 14:27:39 2016 -0200
committerchrmhoffmann <chrmhoffmann@gmail.com>Sat Aug 12 10:53:01 2017 +0200
tree0d728c204eaf300df9923a64310529db79d8bc06
parentb02acf41c09121acd2e80074265fe89a143abc6b [diff]
sctp: validate chunk len before actually using it

Andrey Konovalov reported that KASAN detected that SCTP was using a slab
beyond the boundaries. It was caused because when handling out of the
blue packets in function sctp_sf_ootb() it was checking the chunk len
only after already processing the first chunk, validating only for the
2nd and subsequent ones.

The fix is to just move the check upwards so it's also validated for the
1st chunk.

Backport reference:
 * WORD_ROUND was later replaced with SCTP_PAD4

Change-Id: I1e1c96e088f77231b319b728c8e4c6a6b541c6c0
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian DC <radian.dc@gmail.com>
1 file changed
tree: 0d728c204eaf300df9923a64310529db79d8bc06
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. AndroidKernel.mk
  25. COPYING
  26. CREDITS
  27. Kbuild
  28. Kconfig
  29. MAINTAINERS
  30. Makefile
  31. README
  32. REPORTING-BUGS