[SCTP]: Fix sctp_rcv_ootb() to handle the last chunk of a packet correctly.

Signed-off-by: Tsutomu Fujii <t-fujii@nb.jp.nec.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>

[SCTP]: Fix sctp_rcv_ootb() to handle the last chunk of a packet correctly.
Signed-off-by: Tsutomu Fujii <t-fujii@nb.jp.nec.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
a7d1f1b6 · Tsutomu Fujii · Sridhar Samudrala · c4d2444e · a7d1f1b6 · a7d1f1b6
Commit a7d1f1b6 authored Jan 17, 2006 by Tsutomu Fujii Committed by Sridhar Samudrala Jan 17, 2006
Show whitespace changes
Inline Side-by-side

Showing with 11 additions and 4 deletions

net/sctp/input.c net/sctp/input.c +9 -4

net/sctp/sm_statefuns.c net/sctp/sm_statefuns.c +2 -0

No files found.
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -588,10 +588,16 @@ int sctp_rcv_ootb(struct sk_buff *skb)
 	sctp_errhdr_t *err;
 	ch = (sctp_chunkhdr_t *) skb->data;
-	ch_end = ((__u8 *) ch) + WORD_ROUND(ntohs(ch->length));
 	/* Scan through all the chunks in the packet.  */
-	while (ch_end > (__u8 *)ch && ch_end < skb->tail) {
+	do {
+		/* Break out if chunk length is less then minimal. */
+		if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t))
+			break;
+		ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
+		if (ch_end > skb->tail)
+			break;
 		/* RFC 8.4, 2) If the OOTB packet contains an ABORT chunk, the
 		 * receiver MUST silently discard the OOTB packet and take no
@@ -622,8 +628,7 @@ int sctp_rcv_ootb(struct sk_buff *skb)
 		}
 		ch = (sctp_chunkhdr_t *) ch_end;
-	        ch_end = ((__u8 *) ch) + WORD_ROUND(ntohs(ch->length));
+	} while (ch_end < skb->tail);
-	}
 	return 0;

--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -3090,6 +3090,8 @@ sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
 			break;
 		ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
+		if (ch_end > skb->tail)
+			break;
 		if (SCTP_CID_SHUTDOWN_ACK == ch->type)
 			ootb_shut_ack = 1;