diff mbox series

[net] sctp: fix a potential overflow in sctp_ifwdtsn_skip

Message ID 2a71bffcd80b4f2c61fac6d344bb2f11c8fd74f7.1681155810.git.lucien.xin@gmail.com (mailing list archive)
State Accepted
Commit 32832a2caf82663870126c5186cf8f86c8b2a649
Delegated to: Netdev Maintainers
Headers show
Series [net] sctp: fix a potential overflow in sctp_ifwdtsn_skip | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 19 this patch: 19
netdev/cc_maintainers warning 1 maintainers not CCed: nhorman@tuxdriver.com
netdev/build_clang success Errors and warnings before: 18 this patch: 18
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 19 this patch: 19
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Xin Long April 10, 2023, 7:43 p.m. UTC 
Currently, when traversing ifwdtsn skips with _sctp_walk_ifwdtsn, it only
checks the pos against the end of the chunk. However, the data left for
the last pos may be < sizeof(struct sctp_ifwdtsn_skip), and dereference
it as struct sctp_ifwdtsn_skip may cause coverflow.

This patch fixes it by checking the pos against "the end of the chunk -
sizeof(struct sctp_ifwdtsn_skip)" in sctp_ifwdtsn_skip, similar to
sctp_fwdtsn_skip.

Fixes: 0fc2ea922c8a ("sctp: implement validate_ftsn for sctp_stream_interleave")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/sctp/stream_interleave.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

patchwork-bot+netdevbpf@kernel.org April 13, 2023, 8:20 a.m. UTC | #1 
Hello:

This patch was applied to netdev/net.git (main)
by Paolo Abeni <pabeni@redhat.com>:

On Mon, 10 Apr 2023 15:43:30 -0400 you wrote:
> Currently, when traversing ifwdtsn skips with _sctp_walk_ifwdtsn, it only
> checks the pos against the end of the chunk. However, the data left for
> the last pos may be < sizeof(struct sctp_ifwdtsn_skip), and dereference
> it as struct sctp_ifwdtsn_skip may cause coverflow.
> 
> This patch fixes it by checking the pos against "the end of the chunk -
> sizeof(struct sctp_ifwdtsn_skip)" in sctp_ifwdtsn_skip, similar to
> sctp_fwdtsn_skip.
> 
> [...]

Here is the summary with links:
  - [net] sctp: fix a potential overflow in sctp_ifwdtsn_skip
    https://git.kernel.org/netdev/net/c/32832a2caf82

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/sctp/stream_interleave.c b/net/sctp/stream_interleave.c
index 94727feb07b3..b046b11200c9 100644
--- a/net/sctp/stream_interleave.c
+++ b/net/sctp/stream_interleave.c
@@ -1154,7 +1154,8 @@  static void sctp_generate_iftsn(struct sctp_outq *q, __u32 ctsn)
 
 #define _sctp_walk_ifwdtsn(pos, chunk, end) \
 	for (pos = chunk->subh.ifwdtsn_hdr->skip; \
-	     (void *)pos < (void *)chunk->subh.ifwdtsn_hdr->skip + (end); pos++)
+	     (void *)pos <= (void *)chunk->subh.ifwdtsn_hdr->skip + (end) - \
+			    sizeof(struct sctp_ifwdtsn_skip); pos++)
 
 #define sctp_walk_ifwdtsn(pos, ch) \
 	_sctp_walk_ifwdtsn((pos), (ch), ntohs((ch)->chunk_hdr->length) - \