projects
/
cascardo
/
linux.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
sctp: validate chunk len before actually using it
[cascardo/linux.git]
/
net
/
sctp
/
sm_statefuns.c
diff --git
a/net/sctp/sm_statefuns.c
b/net/sctp/sm_statefuns.c
index
026e3bc
..
8ec20a6
100644
(file)
--- a/
net/sctp/sm_statefuns.c
+++ b/
net/sctp/sm_statefuns.c
@@
-3422,6
+3422,12
@@
sctp_disposition_t sctp_sf_ootb(struct net *net,
return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
commands);
return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
commands);
+ /* Report violation if chunk len overflows */
+ ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length));
+ if (ch_end > skb_tail_pointer(skb))
+ return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
+ commands);
+
/* Now that we know we at least have a chunk header,
* do things that are type appropriate.
*/
/* Now that we know we at least have a chunk header,
* do things that are type appropriate.
*/
@@
-3453,12
+3459,6
@@
sctp_disposition_t sctp_sf_ootb(struct net *net,
}
}
}
}
- /* Report violation if chunk len overflows */
- ch_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length));
- if (ch_end > skb_tail_pointer(skb))
- return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
- commands);
-
ch = (sctp_chunkhdr_t *) ch_end;
} while (ch_end < skb_tail_pointer(skb));
ch = (sctp_chunkhdr_t *) ch_end;
} while (ch_end < skb_tail_pointer(skb));