linux/net/sctp
Xin Long 10b3bf5440 sctp: fix an array overflow when all ext chunks are set
Marcelo noticed an array overflow caused by commit c28445c3cb
("sctp: add reconf_enable in asoc ep and netns"), in which sctp
would add SCTP_CID_RECONF into extensions when reconf_enable is
set in sctp_make_init and sctp_make_init_ack.

Then now when all ext chunks are set, 4 ext chunk ids can be put
into extensions array while extensions array size is 3. It would
cause a kernel panic because of this overflow.

This patch is to fix it by defining extensions array size is 4 in
both sctp_make_init and sctp_make_init_ack.

Fixes: c28445c3cb ("sctp: add reconf_enable in asoc ep and netns")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-07-14 09:05:10 -07:00
..
associola.c net, sctp: convert sctp_ep_common.refcnt from atomic_t to refcount_t 2017-07-04 22:35:19 +01:00
auth.c net, sctp: convert sctp_auth_bytes.refcnt from atomic_t to refcount_t 2017-07-04 22:35:18 +01:00
bind_addr.c sctp: not copying duplicate addrs to the assoc's bind address list 2016-12-20 14:15:45 -05:00
chunk.c net, sctp: convert sctp_datamsg.refcnt from atomic_t to refcount_t 2017-07-04 22:35:18 +01:00
debug.c net: sctp: fix array overrun read on sctp_timer_tbl 2017-01-24 15:24:35 -05:00
endpointola.c net, sctp: convert sctp_ep_common.refcnt from atomic_t to refcount_t 2017-07-04 22:35:19 +01:00
input.c sctp: remove the typedef sctp_init_chunk_t 2017-07-01 09:08:42 -07:00
inqueue.c sctp: remove the typedef sctp_chunkhdr_t 2017-07-01 09:08:41 -07:00
ipv6.c sctp: set the value of flowi6_oif to sk_bound_dev_if to make sctp_v6_get_dst to find the correct route entry. 2017-07-06 11:39:54 +01:00
Kconfig sctp: add the sctp_diag.c file 2016-04-15 17:29:36 -04:00
Makefile sctp: prepare asoc stream for stream reconf 2017-01-06 21:07:26 -05:00
objcnt.c sctp: prepare asoc stream for stream reconf 2017-01-06 21:07:26 -05:00
offload.c net: use skb->csum_not_inet to identify packets needing crc32c 2017-05-19 19:21:29 -04:00
output.c sctp: remove the typedef sctp_data_chunk_t 2017-07-01 09:08:42 -07:00
outqueue.c net: convert sk_buff.users from atomic_t to refcount_t 2017-07-01 07:39:07 -07:00
primitive.c sctp: add stream reconf primitive 2017-01-18 14:55:10 -05:00
probe.c
proc.c net: convert sock.sk_wmem_alloc from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
protocol.c net: Work around lockdep limitation in sockets that use sockets 2017-03-09 18:23:27 -08:00
sctp_diag.c sctp: ensure ep is not destroyed before doing the dump 2017-06-19 15:13:43 -04:00
sm_make_chunk.c sctp: fix an array overflow when all ext chunks are set 2017-07-14 09:05:10 -07:00
sm_sideeffect.c sctp: remove the typedef sctp_init_chunk_t 2017-07-01 09:08:42 -07:00
sm_statefuns.c sctp: remove the typedef sctp_init_chunk_t 2017-07-01 09:08:42 -07:00
sm_statetable.c sctp: remove the typedef sctp_cid_t 2017-07-01 09:08:41 -07:00
socket.c sctp: Add peeloff-flags socket option 2017-07-01 15:26:11 -07:00
stream.c sctp: remove the typedef sctp_paramhdr_t 2017-07-01 09:08:41 -07:00
sysctl.c sctp: add get and set sockopt for reconf_enable 2017-03-12 23:22:24 -07:00
transport.c net, sctp: convert sctp_transport.refcnt from atomic_t to refcount_t 2017-07-04 22:35:19 +01:00
tsnmap.c
ulpevent.c sctp: remove the typedef sctp_chunkhdr_t 2017-07-01 09:08:41 -07:00
ulpqueue.c sctp: remove the typedef sctp_data_chunk_t 2017-07-01 09:08:42 -07:00