Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp4576854pxv; Tue, 6 Jul 2021 04:28:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJww9at0ol+UAvHXvAgAWSYTIhfUX6BT2KvQoGIMOc6IeFDb0WTycefcKPuFFuB3qHUVW/QS X-Received: by 2002:a92:cacf:: with SMTP id m15mr14293312ilq.14.1625570922919; Tue, 06 Jul 2021 04:28:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625570922; cv=none; d=google.com; s=arc-20160816; b=rie73cwVJxuPzzdvgoGhCIJ9Og57obkqWbULnOHRRLFldJMuega7WLvQqarU208M4O wS/oeL527iSbx/WnWXNRUaf9uBM6tE2uZ2cuJF52CElPnIIh9KKTSrWtxrF1AfCjfyPc wZLEeMipCoRFIWJVbViWBF4KlFx0HvZf3pp5bvrhzHKRX60JGqP3LmVC7A7I/OFstfzo N9nky7VOlB0RFuX7j/yCTMzf6dibOWUJB6YgM1hOdH5djqdJnBfFa1++vUbrdBXIWimN 7asuZZwbIQiQc/FvX3JaRGAcSEkDa3uW1akRxn6KFqj9s4Zgdi9VIYoXLFtz5KoZJadK z/yQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=OBwkJ5ZJvy6PW24WV4/tlH7H5x+49CpdAJyPjEB0FrU=; b=XhYBOdRWRjQVOiVWga7XV7iTMWlUaEEbZY2VGcKeagepnnsQRfnpFc2pxZEyJ2zEou vaT4CAo0FjveR7rrWMbh4uvPfX278Dq+qQduSFiQqdWyOqGEVqQJOwHwEdB2g1+0Y+ox 9FZ36hb5F7XETlEvqjK6gKkhBgnxqJNhFP85RtCV2XriwxMhMbaw611i30Ddex8sKnj7 +Y7yomq0o9DEz4X51Qn6TAP1ouvLwldfcvE+9sZY8/AhC5nYv4xF3Dt6NvgVhGoqwDA7 T3ulrjXTgiaYYu7ofu+Q2WwLFxn5DY3zx4P+OdzGnc87eyeIyNy8SDmslAF5yh7GaouM xyig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=PKnlnZwU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j23si15118383jar.113.2021.07.06.04.28.31; Tue, 06 Jul 2021 04:28:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=PKnlnZwU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235375AbhGFL37 (ORCPT + 99 others); Tue, 6 Jul 2021 07:29:59 -0400 Received: from mail.kernel.org ([198.145.29.99]:35318 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234284AbhGFLYR (ORCPT ); Tue, 6 Jul 2021 07:24:17 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 1A4B561CA2; Tue, 6 Jul 2021 11:18:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1625570298; bh=tMnwuOqsKetrJOZHCxfof29wQdNfyrd0hr/fLSioJSQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PKnlnZwUoFwGLGe8Rj9Kcx5MfuupaJMBe5KE5CcHxAprqTCZRxKqoEcjTZM6c10YT P34KXgOzkarY3j/7l+htYhgYm68MuIrh6dnTbY6VIneiJ26kqDhgBueTKH/glrgwMC X7xplJvOD5bgaWFS3X2ar4bJDYheOX60KefNSY3GPALQWi3Kry6svgtr5/was3nKDm EkDzBozNKzMudWLU2vkKxGWFIxGPBshSH9S72V1ElFF6EBjBJAAAt/HNgkRbu3Q7CZ qULH58zUvBjeLC5G/QjL3i9oszSGbcp/MkQHqbR6/vVOtVVRgKBZNwX6x/uDc9T9aH Wpa08tc/kYVRg== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Marcelo Ricardo Leitner , Ilja Van Sprundel , "David S . Miller" , Sasha Levin , linux-sctp@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 5.13 186/189] sctp: add size validation when walking chunks Date: Tue, 6 Jul 2021 07:14:06 -0400 Message-Id: <20210706111409.2058071-186-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210706111409.2058071-1-sashal@kernel.org> References: <20210706111409.2058071-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Marcelo Ricardo Leitner [ Upstream commit 50619dbf8db77e98d821d615af4f634d08e22698 ] The first chunk in a packet is ensured to be present at the beginning of sctp_rcv(), as a packet needs to have at least 1 chunk. But the second one, may not be completely available and ch->length can be over uninitialized memory. Fix here is by only trying to walk on the next chunk if there is enough to hold at least the header, and then proceed with the ch->length validation that is already there. Reported-by: Ilja Van Sprundel Signed-off-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/sctp/input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sctp/input.c b/net/sctp/input.c index 8924e2e142c8..f72bff93745c 100644 --- a/net/sctp/input.c +++ b/net/sctp/input.c @@ -1247,7 +1247,7 @@ static struct sctp_association *__sctp_rcv_walk_lookup(struct net *net, ch = (struct sctp_chunkhdr *)ch_end; chunk_num++; - } while (ch_end < skb_tail_pointer(skb)); + } while (ch_end + sizeof(*ch) < skb_tail_pointer(skb)); return asoc; } -- 2.30.2