possible integer underflow in __sctp_auth_cid()
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
In 555d3d5d "SCTP: Fix chunk acceptance when no authenticated chunks
were listed.", we added a check for if (param->param_hdr.length == 0).
Shouldn't that check be a check for if
(param->param_hdr.length < sizeos(sizeof(sctp_paramhdr_t)))?  Otherwise,
when we do the substraction on the next line we would unintentionally
end up with a high positive number.

I had a similar question about sctp_auth_ep_add_chunkid():

net/sctp/auth.c
   770          /* Check if we can add this chunk to the array */
   771          param_len = ntohs(p->param_hdr.length);
   772          nchunks = param_len - sizeof(sctp_paramhdr_t);
   773          if (nchunks == SCTP_NUM_CHUNK_TYPES)
   774                  return -EINVAL;
   775
   776          p->chunks[nchunks] = chunk_id;

If param_len is less than sizeof(sctp_paramhdr_t) we could write past
the end of the array.  There are a couple other places with this same
subtraction as well.

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Linux Kernel Discussion]     [Ethernet Bridging]     [Linux Wireless Networking]     [Linux Bluetooth Networking]     [Linux Networking Users]     [VLAN]     [Git]     [IETF Annouce]     [Linux Assembly]     [Security]     [Bugtraq]     [Photo]     [Singles Social Networking]     [Yosemite Information]     [MIPS Linux]     [ARM Linux Kernel]     [ARM Linux]     [Linux Virtualization]     [Linux Security]     [Linux IDE]     [Linux RAID]     [Linux SCSI]     [Free Dating]

Add to Google Powered by Linux