Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753450AbdGMUoq (ORCPT ); Thu, 13 Jul 2017 16:44:46 -0400 Received: from shards.monkeyblade.net ([184.105.139.130]:51204 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753182AbdGMUop (ORCPT ); Thu, 13 Jul 2017 16:44:45 -0400 Date: Thu, 13 Jul 2017 13:44:43 -0700 (PDT) Message-Id: <20170713.134443.1912348414766536226.davem@davemloft.net> To: glider@google.com Cc: dvyukov@google.com, kcc@google.com, edumazet@google.com, lucien.xin@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org Subject: Re: [PATCH] sctp: don't dereference ptr before leaving _sctp_walk_{params,errors}() From: David Miller In-Reply-To: References: <20170713181034.41123-1-glider@google.com> <20170713.113206.177363709000549854.davem@davemloft.net> X-Mailer: Mew version 6.7 on Emacs 25.2 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Thu, 13 Jul 2017 13:44:44 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 804 Lines: 27 From: Alexander Potapenko Date: Thu, 13 Jul 2017 21:28:39 +0200 > On Thu, Jul 13, 2017 at 8:32 PM, David Miller wrote: >> struct sctp_paramhdr { >> __be16 type; >> __be16 length; >> }; >> >> typedef struct sctp_errhdr { >> __be16 cause; >> __be16 length; >> __u8 variable[0]; >> } sctp_errhdr_t; ... >> Something like: >> >> pos.v + offsetof(pos.v, length) + sizeof(pos.v->length) <= (void *) chunk + end > > Do we need to bother about truncated structures? Shouldn't it be > enough to check that there's at least sizeof(struct sctp_paramhdr) > bytes left then? With the zero length array at the end, it's arguable what the "size" of such a thing is. That's why I tried to be explicit with the length field.