sctp: add size validation when walking chunks

[ Upstream commit 50619dbf8db77e98d821d615af4f634d08e22698 ]

The first chunk in a packet is ensured to be present at the beginning of
sctp_rcv(), as a packet needs to have at least 1 chunk. But the second
one, may not be completely available and ch->length can be over
uninitialized memory.

Fix here is by only trying to walk on the next chunk if there is enough to
hold at least the header, and then proceed with the ch->length validation
that is already there.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/sctp/input.c b/net/sctp/input.c
index 9fa89a35afcd393b6cdc9c0144fd94bf532f687b..9dcc18db99186ccee40067966c14b15d5576668b 100644 (file)
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -1086,7 +1086,7 @@ static struct sctp_association *__sctp_rcv_walk_lookup(struct net *net,
 
                ch = (sctp_chunkhdr_t *) ch_end;
                chunk_num++;
-       } while (ch_end < skb_tail_pointer(skb));
+       } while (ch_end + sizeof(*ch) < skb_tail_pointer(skb));
 
        return asoc;
 }