sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
commit fa5f7b51fc3080c2b195fa87c7eca7c05e56f673 upstream. This code causes a static checker warning because Smatch doesn't trust anything that comes from skb->data. I've reviewed this code and I do think skb->data can be controlled by the user here. The sctp_event_subscribe struct has 13 __u8 fields and we want to see if ours is non-zero. sn_type can be any value in the 0-USHRT_MAX range. We're subtracting SCTP_SN_TYPE_BASE which is 1 << 15 so we could read either before the start of the struct or after the end. This is a very old bug and it's surprising that it would go undetected for so long but my theory is that it just doesn't have a big impact so it would be hard to notice. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Willy Tarreau <w@1wt.eu>
This commit is contained in:
Dan Carpenter
syphyr
parent
475b543c09
commit
0a900adda7
|
|
@ -143,8 +143,12 @@ __u16 sctp_ulpevent_get_notification_type(const struct sctp_ulpevent *event);
|
|||
static inline int sctp_ulpevent_type_enabled(__u16 sn_type,
|
||||
struct sctp_event_subscribe *mask)
|
||||
{
|
||||
int offset = sn_type - SCTP_SN_TYPE_BASE;
|
||||
char *amask = (char *) mask;
|
||||
return amask[sn_type - SCTP_SN_TYPE_BASE];
|
||||
|
||||
if (offset >= sizeof(struct sctp_event_subscribe))
|
||||
return 0;
|
||||
return amask[offset];
|
||||
}
|
||||
|
||||
/* Given an event subscription, is this event enabled? */
|
||||
|
|
|
|||
Loading…
Reference in New Issue