sctp: add size validation when walking chunks

[ Upstream commit 50619dbf8db77e98d821d615af4f634d08e22698 ]

The first chunk in a packet is ensured to be present at the beginning of
sctp_rcv(), as a packet needs to have at least 1 chunk. But the second
one, may not be completely available and ch->length can be over
uninitialized memory.

Fix here is by only trying to walk on the next chunk if there is enough to
hold at least the header, and then proceed with the ch->length validation
that is already there.

Mot-CRs-fixed: (CR)
CVE-Fixed: CVE-2021-3655
Bug: 197154735

Change-Id: Iea95952b6ab63c74674efdcb2574ca95a525dcb2
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Gajjala Chakradhar <gajjalac@motorola.com>
Reviewed-on: https://gerrit.mot.com/2197702
SME-Granted: SME Approvals Granted
SLTApproved: Slta Waiver
Tested-by: Jira Key
Reviewed-by: Xiangpo Zhao <zhaoxp3@motorola.com>
Submit-Approved: Jira Key
(cherry picked from commit 58617a2b919acf27489dbc4ea62a1776472fdc85)

diff --git a/net/sctp/input.c b/net/sctp/input.c
index 5cc8c9122c1a4357224426860aade5181b370271..5ea8982ab7a986d7daaa7511245301ea443f74b2 100644 (file)
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -1197,7 +1197,7 @@ static struct sctp_association *__sctp_rcv_walk_lookup(struct net *net,
 
                ch = (struct sctp_chunkhdr *)ch_end;
                chunk_num++;
-       } while (ch_end < skb_tail_pointer(skb));
+       } while (ch_end + sizeof(*ch) < skb_tail_pointer(skb));
 
        return asoc;
 }