Commit 7903d6f9 authored by Marcelo Ricardo Leitner's avatar Marcelo Ricardo Leitner Committed by Zheng Zengkai
Browse files

sctp: add param size validation for SCTP_PARAM_SET_PRIMARY 

mainline inclusion
from mainline-5.14-rc1
commit ef6c8d6c
bugzilla: 177765 https://gitee.com/openeuler/kernel/issues/I4DDEL
CVE: CVE-2021-3655

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9



--------------------------------

When SCTP handles an INIT chunk, it calls for example:
sctp_sf_do_5_1B_init
  sctp_verify_init
    sctp_verify_param
  sctp_process_init
    sctp_process_param
      handling of SCTP_PARAM_SET_PRIMARY

sctp_verify_init() wasn't doing proper size validation and neither the
later handling, allowing it to work over the chunk itself, possibly being
uninitialized memory.

Signed-off-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarChen Jun <chenjun102@huawei.com>
Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Reviewed-by: default avatarXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: default avatarChen Jun <chenjun102@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent f567a501
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment