Neil Horman wrote: > Hey all- > I'm having a bit of trouble understanding the implementation of > sctp_rcv_ootb. Specifically I'm wondering why we allow packets checked in > sctp_rcv_ootb with malformed chunks into the receive queue. For instance, if a > chunk in an ootb packet has a zero length, we break out of the loop and return > 0, which lets us eventually call sctp_inq_push to put it on the receive queue, > from which point on we seem to assume the chunk header length field is valid and > correct. Am I missing something, or is this a bug? > > Before we put it to the receive queue, we had confirmed that this chunk has a lendth at least sizeof(struct sctp_chunkhdr). int sctp_rcv(struct sk_buff *skb) { ... /* Make sure we at least have chunk headers worth of data left. */ if (skb->len < sizeof(struct sctp_chunkhdr)) goto discard_it; ... } We let this chunk go into process by sctp_inq_push() is because do this we can then send a ABORT to tell the sender the packet is malformed. the chunk header length check will be done later, sush as in sctp_sf_ootb(). > -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html