sctp: validate chunk len before actually using it
authorMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Tue, 25 Oct 2016 16:27:39 +0000 (14:27 -0200)
committerDavid S. Miller <davem@davemloft.net>
Sat, 29 Oct 2016 16:00:10 +0000 (12:00 -0400)
commitbf911e985d6bbaa328c20c3e05f4eb03de11fdd6
tree1b27244b2383e75616e7c1d4a3c1faa329108f99
parentc2e169be8ce7bde1e4189dc6e72eb9861fe9b6fb
sctp: validate chunk len before actually using it

Andrey Konovalov reported that KASAN detected that SCTP was using a slab
beyond the boundaries. It was caused because when handling out of the
blue packets in function sctp_sf_ootb() it was checking the chunk len
only after already processing the first chunk, validating only for the
2nd and subsequent ones.

The fix is to just move the check upwards so it's also validated for the
1st chunk.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sctp/sm_statefuns.c