git.openpandora.org
/
pandora-kernel.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
sctp: validate chunk len before actually using it
[pandora-kernel.git]
/
net
/
sctp
/
sm_statefuns.c
diff --git
a/net/sctp/sm_statefuns.c
b/net/sctp/sm_statefuns.c
index
4e0a9b9
..
6b22d6a
100644
(file)
--- a/
net/sctp/sm_statefuns.c
+++ b/
net/sctp/sm_statefuns.c
@@
-3354,6
+3354,12
@@
sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
return sctp_sf_violation_chunklen(ep, asoc, type, arg,
commands);
return sctp_sf_violation_chunklen(ep, asoc, type, arg,
commands);
+ /* Report violation if chunk len overflows */
+ ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
+ if (ch_end > skb_tail_pointer(skb))
+ return sctp_sf_violation_chunklen(ep, asoc, type, arg,
+ commands);
+
/* Now that we know we at least have a chunk header,
* do things that are type appropriate.
*/
/* Now that we know we at least have a chunk header,
* do things that are type appropriate.
*/
@@
-3385,12
+3391,6
@@
sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
}
}
}
}
- /* Report violation if chunk len overflows */
- ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
- if (ch_end > skb_tail_pointer(skb))
- return sctp_sf_violation_chunklen(ep, asoc, type, arg,
- commands);
-
ch = (sctp_chunkhdr_t *) ch_end;
} while (ch_end < skb_tail_pointer(skb));
ch = (sctp_chunkhdr_t *) ch_end;
} while (ch_end < skb_tail_pointer(skb));
git.openpandora.org / pandora-kernel.git / blobdiff