• Xin Long's avatar
    sctp: set frag_point in sctp_setsockopt_maxseg correctly · ecca8f88
    Xin Long authored
    Now in sctp_setsockopt_maxseg user_frag or frag_point can be set with
    val >= 8 and val <= SCTP_MAX_CHUNK_LEN. But both checks are incorrect.
    
    val >= 8 means frag_point can even be less than SCTP_DEFAULT_MINSEGMENT.
    Then in sctp_datamsg_from_user(), when it's value is greater than cookie
    echo len and trying to bundle with cookie echo chunk, the first_len will
    overflow.
    
    The worse case is when it's value is equal as cookie echo len, first_len
    becomes 0, it will go into a dead loop for fragment later on. In Hangbin
    syzkaller testing env, oom was even triggered due to consecutive memory
    allocation in that loop.
    
    Besides, SCTP_MAX_CHUNK_LEN is the max size of the whole chunk, it should
    deduct the data header for frag_point or user_frag check.
    
    This patch does a proper check with SCTP_DEFAULT_MINSEGMENT subtracting
    the sctphdr and datahdr, SCTP_MAX_CHUNK_LEN subtracting datahdr when
    setting frag_point via sockopt. It also improves sctp_setsockopt_maxseg
    codes.
    Suggested-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Reported-by: default avatarHangbin Liu <liuhangbin@gmail.com>
    Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
    Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    ecca8f88
socket.c 232 KB