From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.4 15/50] sctp: validate chunk size in __rcv_asconf_lookup
Date: Fri, 24 Sep 2021 14:44:04 +0200 [thread overview]
Message-ID: <20210924124332.747997475@linuxfoundation.org> (raw)
In-Reply-To: <20210924124332.229289734@linuxfoundation.org>
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
commit b6ffe7671b24689c09faa5675dd58f93758a97ae upstream.
In one of the fallbacks that SCTP has for identifying an association for an
incoming packet, it looks for AddIp chunk (from ASCONF) and take a peek.
Thing is, at this stage nothing was validating that the chunk actually had
enough content for that, allowing the peek to happen over uninitialized
memory.
Similar check already exists in actual asconf handling in
sctp_verify_asconf().
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/input.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -1168,6 +1168,9 @@ static struct sctp_association *__sctp_r
union sctp_addr_param *param;
union sctp_addr paddr;
+ if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr))
+ return NULL;
+
/* Skip over the ADDIP header and find the Address parameter */
param = (union sctp_addr_param *)(asconf + 1);
next prev parent reply other threads:[~2021-09-24 12:53 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-24 12:43 [PATCH 5.4 00/50] 5.4.149-rc1 review Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.4 01/50] PCI: pci-bridge-emul: Fix big-endian support Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.4 02/50] PCI: aardvark: Indicate error in val when config read fails Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.4 03/50] PCI: pci-bridge-emul: Add PCIe Root Capabilities Register Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.4 04/50] PCI: aardvark: Fix reporting CRS value Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.4 05/50] PCI/ACPI: Add Ampere Altra SOC MCFG quirk Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.4 06/50] KVM: remember position in kvm->vcpus array Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.4 07/50] console: consume APC, DM, DCS Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.4 08/50] s390/pci_mmio: fully validate the VMA before calling follow_pte() Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.4 09/50] ARM: Qualify enabling of swiotlb_init() Greg Kroah-Hartman
2021-09-24 12:43 ` [PATCH 5.4 10/50] apparmor: remove duplicate macro list_entry_is_head() Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 11/50] ARM: 9077/1: PLT: Move struct plt_entries definition to header Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 12/50] ARM: 9078/1: Add warn suppress parameter to arm_gen_branch_link() Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 13/50] ARM: 9079/1: ftrace: Add MODULE_PLTS support Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 14/50] ARM: 9098/1: ftrace: MODULE_PLT: Fix build problem without DYNAMIC_FTRACE Greg Kroah-Hartman
2021-09-24 12:44 ` Greg Kroah-Hartman [this message]
2021-09-24 12:44 ` [PATCH 5.4 16/50] sctp: add param size validation for SCTP_PARAM_SET_PRIMARY Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 17/50] staging: rtl8192u: Fix bitwise vs logical operator in TranslateRxSignalStuff819xUsb() Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 18/50] um: virtio_uml: fix memory leak on init failures Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 19/50] dmaengine: acpi: Avoid comparison GSI with Linux vIRQ Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 20/50] thermal/drivers/exynos: Fix an error code in exynos_tmu_probe() Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 21/50] 9p/trans_virtio: Remove sysfs file on probe failure Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 22/50] prctl: allow to setup brk for et_dyn executables Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 23/50] nilfs2: use refcount_dec_and_lock() to fix potential UAF Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 24/50] profiling: fix shift-out-of-bounds bugs Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 25/50] pwm: lpc32xx: Dont modify HW state in .probe() after the PWM chip was registered Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 26/50] pwm: mxs: " Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 27/50] phy: avoid unnecessary link-up delay in polling mode Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 28/50] net: stmmac: reset Tx desc base address before restarting Tx Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 29/50] Kconfig.debug: drop selecting non-existing HARDLOCKUP_DETECTOR_ARCH Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 30/50] thermal/core: Fix thermal_cooling_device_register() prototype Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 31/50] drivers: base: cacheinfo: Get rid of DEFINE_SMP_CALL_CACHE_FUNCTION() Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 32/50] parisc: Move pci_dev_is_behind_card_dino to where it is used Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 33/50] dmaengine: sprd: Add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 34/50] dmaengine: ioat: depends on !UML Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 35/50] dmaengine: xilinx_dma: Set DMA mask for coherent APIs Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 36/50] ceph: request Fw caps before updating the mtime in ceph_write_iter Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 37/50] ceph: lockdep annotations for try_nonblocking_invalidate Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 38/50] btrfs: fix lockdep warning while mounting sprout fs Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 39/50] nilfs2: fix memory leak in nilfs_sysfs_create_device_group Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 40/50] nilfs2: fix NULL pointer in nilfs_##name##_attr_release Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 41/50] nilfs2: fix memory leak in nilfs_sysfs_create_##name##_group Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 42/50] nilfs2: fix memory leak in nilfs_sysfs_delete_##name##_group Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 43/50] nilfs2: fix memory leak in nilfs_sysfs_create_snapshot_group Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 44/50] nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_group Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 45/50] pwm: img: Dont modify HW state in .remove() callback Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 46/50] pwm: rockchip: " Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 47/50] pwm: stm32-lp: " Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 48/50] blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 49/50] rtc: rx8010: select REGMAP_I2C Greg Kroah-Hartman
2021-09-24 12:44 ` [PATCH 5.4 50/50] drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV Greg Kroah-Hartman
2021-09-24 14:03 ` [PATCH 5.4 00/50] 5.4.149-rc1 review Daniel Díaz
2021-09-24 17:59 ` Jon Hunter
2021-09-24 21:53 ` Shuah Khan
2021-09-24 22:03 ` Florian Fainelli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210924124332.747997475@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo.leitner@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).