sctp: frag_point sanity check
If for some reason an association's fragmentation point is zero, sctp_datamsg_from_user will try to endlessly try to divide a message into zero-sized chunks. This eventually causes kernel panic due to running out of memory. Although this situation is quite unlikely, it has occurred before as reported. I propose to add this simple last-ditch sanity check due to the severity of the potential consequences. Signed-off-by: Jakub Audykowicz <jakub.audykowicz@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Jakub Audykowicz
committed by
David S. Miller
David S. Miller
parent
b2b7af8611
commit
afd0a8006e
@@ -191,6 +191,12 @@ struct sctp_datamsg *sctp_datamsg_from_user(struct sctp_association *asoc,
|
||||
* the packet
|
||||
*/
|
||||
max_data = asoc->frag_point;
|
||||
if (unlikely(!max_data)) {
|
||||
max_data = sctp_min_frag_point(sctp_sk(asoc->base.sk),
|
||||
sctp_datachk_len(&asoc->stream));
|
||||
pr_warn_ratelimited("%s: asoc:%p frag_point is zero, forcing max_data to default minimum (%Zu)",
|
||||
__func__, asoc, max_data);
|
||||
}
|
||||
|
||||
/* If the the peer requested that we authenticate DATA chunks
|
||||
* we need to account for bundling of the AUTH chunks along with
|
||||
|
||||
Reference in New Issue
Block a user