From: Xin Long <lucien.xin@xxxxxxxxx>
Date: Wed, 15 Nov 2017 17:00:11 +0800
> Now when resetting stream, if both in and out flags are set, the info
> len can reach:
> sizeof(struct sctp_strreset_outreq) + SCTP_MAX_STREAM(65535) +
> sizeof(struct sctp_strreset_inreq) + SCTP_MAX_STREAM(65535)
> even without duplicated stream no, this value is far greater than the
> chunk's max size.
>
> _sctp_make_chunk doesn't do any check for this, which would cause the
> skb it allocs is huge, syzbot even reported a crash due to this.
>
> This patch is to check stream reset info len before making reconf
> chunk and return EINVAL if the len exceeds chunk's capacity.
>
> Thanks Marcelo and Neil for making this clear.
>
> v1->v2:
> - move the check into sctp_send_reset_streams instead.
>
> Fixes: cc16f00f6529 ("sctp: add support for generating stream reconf ssn reset request chunk")
> Reported-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
> Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx>
Applied.
--
To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
