linux_dsm_epyc7002/net/sctp
Xin Long ecca8f88da sctp: set frag_point in sctp_setsockopt_maxseg correctly
Now in sctp_setsockopt_maxseg user_frag or frag_point can be set with
val >= 8 and val <= SCTP_MAX_CHUNK_LEN. But both checks are incorrect.

val >= 8 means frag_point can even be less than SCTP_DEFAULT_MINSEGMENT.
Then in sctp_datamsg_from_user(), when it's value is greater than cookie
echo len and trying to bundle with cookie echo chunk, the first_len will
overflow.

The worse case is when it's value is equal as cookie echo len, first_len
becomes 0, it will go into a dead loop for fragment later on. In Hangbin
syzkaller testing env, oom was even triggered due to consecutive memory
allocation in that loop.

Besides, SCTP_MAX_CHUNK_LEN is the max size of the whole chunk, it should
deduct the data header for frag_point or user_frag check.

This patch does a proper check with SCTP_DEFAULT_MINSEGMENT subtracting
the sctphdr and datahdr, SCTP_MAX_CHUNK_LEN subtracting datahdr when
setting frag_point via sockopt. It also improves sctp_setsockopt_maxseg
codes.

Suggested-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reported-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-11-18 10:32:41 +09:00
..
associola.c net: sctp: Convert timers to use timer_setup() 2017-10-25 12:02:09 +09:00
auth.c
bind_addr.c
chunk.c
debug.c
endpointola.c
input.c sctp: fix some type cast warnings introduced by transport rhashtable 2017-10-29 18:03:24 +09:00
inqueue.c
ipv6.c net/sctp: Always set scope_id in sctp_inet6_skb_msgname 2017-11-16 23:00:30 +09:00
Kconfig
Makefile Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
objcnt.c
offload.c
output.c
outqueue.c
primitive.c
probe.c
proc.c
protocol.c net: sctp: Convert timers to use timer_setup() 2017-10-25 12:02:09 +09:00
sctp_diag.c
sm_make_chunk.c sctp: check stream reset info len before making reconf chunk 2017-11-16 10:49:00 +09:00
sm_sideeffect.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-10-30 21:09:24 +09:00
sm_statefuns.c
sm_statetable.c
socket.c sctp: set frag_point in sctp_setsockopt_maxseg correctly 2017-11-18 10:32:41 +09:00
stream_sched_prio.c
stream_sched_rr.c
stream_sched.c
stream.c sctp: check stream reset info len before making reconf chunk 2017-11-16 10:49:00 +09:00
sysctl.c
transport.c net: sctp: Convert timers to use timer_setup() 2017-10-25 12:02:09 +09:00
tsnmap.c
ulpevent.c sctp: fix some type cast warnings introduced by stream reconf 2017-10-29 18:03:24 +09:00
ulpqueue.c