Vlad Yasevich wrote, at 05/17/2010 10:30 PM: >> @@sctp_verify_asconf() >> 3045 if (param.v > chunk_end - length || >> 3046 length < sizeof(sctp_paramhdr_t)) >> 3047 return 0; >> > > This doesn't check the 'true' length of the parameter. It makes sure that > the length specified is at least as long as sctp_paramhdr_t (minimum length), > and not longer then the end of the chunk. It makes no assumptions about > the actual length of the parameter. Thanks for your exact description. How about fixing like this? diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 565a690..32e2c34 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -4329,8 +4329,9 @@ static sctp_disposition_t sctp_sf_violation_chunklen( /* * Handle a protocol violation when the parameter length is invalid. - * "Invalid" length is identified as smaller than the minimal length a - * given parameter can be. + * If the length is smaller than the minimum length of a given parameter, + * or accumulated length in multi parameters exceeds the end of the chunk, + * the length is considered as invalid. */ static sctp_disposition_t sctp_sf_violation_paramlen( const struct sctp_endpoint *ep, -- Best Regards ----- Shan Wei > > -vlad > > > -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
