sctp: validate chunk len before actually using it
[pandora-kernel.git] / net / sctp / sm_statefuns.c
index 4e0a9b9..6b22d6a 100644 (file)
@@ -3354,6 +3354,12 @@ sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
                        return sctp_sf_violation_chunklen(ep, asoc, type, arg,
                                                  commands);
 
+               /* Report violation if chunk len overflows */
+               ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
+               if (ch_end > skb_tail_pointer(skb))
+                       return sctp_sf_violation_chunklen(ep, asoc, type, arg,
+                                                 commands);
+
                /* Now that we know we at least have a chunk header,
                 * do things that are type appropriate.
                 */
@@ -3385,12 +3391,6 @@ sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
                        }
                }
 
-               /* Report violation if chunk len overflows */
-               ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
-               if (ch_end > skb_tail_pointer(skb))
-                       return sctp_sf_violation_chunklen(ep, asoc, type, arg,
-                                                 commands);
-
                ch = (sctp_chunkhdr_t *) ch_end;
        } while (ch_end < skb_tail_pointer(skb));