From: Marcelo Ricardo Leitner
mainline inclusion
from mainline-v5.14-rc1
commit ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9
category: bugfix
issue: #I4589I
CVE: CVE-2021-3655
---------------------------
When SCTP handles an INIT chunk, it calls for example:
sctp_sf_do_5_1B_init
sctp_verify_init
sctp_verify_param
sctp_process_init
sctp_process_param
handling of SCTP_PARAM_SET_PRIMARY
sctp_verify_init() wasn't doing proper size validation and neither the
later handling, allowing it to work over the chunk itself, possibly being
uninitialized memory.
Signed-off-by: Marcelo Ricardo Leitner
Signed-off-by: David S. Miller
Conflicts:
net/sctp/sm_make_chunk.c
[yyl: asconf_enable is not added in kernel-4.19]
Signed-off-by: Yang Yingliang
Reviewed-by: Xiu Jianfeng
Reviewed-by: Yue Haibing
Signed-off-by: Yang Yingliang
Signed-off-by: Yu Changchun
---
net/sctp/sm_make_chunk.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index d87cd60c216e..39bc0683d57e 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2172,9 +2172,16 @@ static enum sctp_ierror sctp_verify_param(struct net *net,
break;
case SCTP_PARAM_SET_PRIMARY:
- if (net->sctp.addip_enable)
- break;
- goto fallthrough;
+ if (!net->sctp.addip_enable)
+ goto fallthrough;
+
+ if (ntohs(param.p->length) < sizeof(struct sctp_addip_param) +
+ sizeof(struct sctp_paramhdr)) {
+ sctp_process_inv_paramlength(asoc, param.p,
+ chunk, err_chunk);
+ retval = SCTP_IERROR_ABORT;
+ }
+ break;
case SCTP_PARAM_HOST_NAME_ADDRESS:
/* Tell the peer, we won't support this param. */
--
2.22.0
