sctp: potential read out of bounds in sctp_ulpevent_type_enabled()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This code causes a static checker warning because Smatch doesn't trust
anything that comes from skb->data. I've reviewed this code and I do
think skb->data can be controlled by the user here.

The sctp_event_subscribe struct has 13 __u8 fields and we want to see
if ours is non-zero. sn_type can be any value in the 0-USHRT_MAX range.
We're subtracting SCTP_SN_TYPE_BASE which is 1 << 15 so we could read
either before the start of the struct or after the end.

This is a very old bug and it's surprising that it would go undetected
for so long but my theory is that it just doesn't have a big impact so
it would be hard to notice.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Dan Carpenter and committed by

David S. Miller 8 years ago fa5f7b51 6fa9c623

+5 -1

1 changed file

expand all

include

net

sctp

ulpevent.h

+5 -1

include/net/sctp/ulpevent.h

··· 153 153 static inline int sctp_ulpevent_type_enabled(__u16 sn_type, 154 154 struct sctp_event_subscribe *mask) 155 155 { 156 + int offset = sn_type - SCTP_SN_TYPE_BASE; 156 157 char *amask = (char *) mask; 157 - return amask[sn_type - SCTP_SN_TYPE_BASE]; 158 + 159 + if (offset >= sizeof(struct sctp_event_subscribe)) 160 + return 0; 161 + return amask[offset]; 158 162 } 159 163 160 164 /* Given an event subscription, is this event enabled? */