4fbd094d41
[ Upstream commit 32832a2caf82663870126c5186cf8f86c8b2a649 ]
Currently, when traversing ifwdtsn skips with _sctp_walk_ifwdtsn, it only
checks the pos against the end of the chunk. However, the data left for
the last pos may be < sizeof(struct sctp_ifwdtsn_skip), and dereference
it as struct sctp_ifwdtsn_skip may cause coverflow.
This patch fixes it by checking the pos against "the end of the chunk -
sizeof(struct sctp_ifwdtsn_skip)" in sctp_ifwdtsn_skip, similar to
sctp_fwdtsn_skip.
Fixes:
|
||
---|---|---|
.. | ||
associola.c | ||
auth.c | ||
bind_addr.c | ||
chunk.c | ||
debug.c | ||
diag.c | ||
endpointola.c | ||
input.c | ||
inqueue.c | ||
ipv6.c | ||
Kconfig | ||
Makefile | ||
objcnt.c | ||
offload.c | ||
output.c | ||
outqueue.c | ||
primitive.c | ||
proc.c | ||
protocol.c | ||
sm_make_chunk.c | ||
sm_sideeffect.c | ||
sm_statefuns.c | ||
sm_statetable.c | ||
socket.c | ||
stream.c | ||
stream_interleave.c | ||
stream_sched.c | ||
stream_sched_prio.c | ||
stream_sched_rr.c | ||
sysctl.c | ||
transport.c | ||
tsnmap.c | ||
ulpevent.c | ||
ulpqueue.c |