diff options
| author | Xin Long <lucien.xin@gmail.com> | 2017-07-26 08:24:59 (GMT) |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-08-11 15:49:33 (GMT) |
| commit | df32d08293ea7db4fe7e030bd47c71b7f63fc05f (patch) | |
| tree | 3aba804a8c37f04192e9cb3e17186cfb0c53eba1 /fs/pnode.h | |
| parent | cc6f1486f2cb053a647db3a51cba5fbeabaa4a3f (diff) | |
| download | linux-df32d08293ea7db4fe7e030bd47c71b7f63fc05f.tar.xz | |
sctp: fix the check for _sctp_walk_params and _sctp_walk_errors
[ Upstream commit 6b84202c946cd3da3a8daa92c682510e9ed80321 ]
Commit b1f5bfc27a19 ("sctp: don't dereference ptr before leaving
_sctp_walk_{params, errors}()") tried to fix the issue that it
may overstep the chunk end for _sctp_walk_{params, errors} with
'chunk_end > offset(length) + sizeof(length)'.
But it introduced a side effect: When processing INIT, it verifies
the chunks with 'param.v == chunk_end' after iterating all params
by sctp_walk_params(). With the check 'chunk_end > offset(length)
+ sizeof(length)', it would return when the last param is not yet
accessed. Because the last param usually is fwdtsn supported param
whose size is 4 and 'chunk_end == offset(length) + sizeof(length)'
This is a badly issue even causing sctp couldn't process 4-shakes.
Client would always get abort when connecting to server, due to
the failure of INIT chunk verification on server.
The patch is to use 'chunk_end <= offset(length) + sizeof(length)'
instead of 'chunk_end < offset(length) + sizeof(length)' for both
_sctp_walk_params and _sctp_walk_errors.
Fixes: b1f5bfc27a19 ("sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/pnode.h')
0 files changed, 0 insertions, 0 deletions