Dan Carpenter dee4506f06 sctp: potential read out of bounds in sctp_ulpevent_type_enabled() ... [ Upstream commit fa5f7b51fc3080c2b195fa87c7eca7c05e56f673 ] This code causes a static checker warning because Smatch doesn't trust anything that comes from skb->data. I've reviewed this code and I do think skb->data can be controlled by the user here. The sctp_event_subscribe struct has 13 __u8 fields and we want to see if ours is non-zero. sn_type can be any value in the 0-USHRT_MAX range. We're subtracting SCTP_SN_TYPE_BASE which is 1 << 15 so we could read either before the start of the struct or after the end. This is a very old bug and it's surprising that it would go undetected for so long but my theory is that it just doesn't have a big impact so it would be hard to notice. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2017-10-21 17:09:01 +02:00
..
auth.h	include/net/: Fix FSF address in file headers	2013-12-06 12:37:56 -05:00
checksum.h	include/net/: Fix FSF address in file headers	2013-12-06 12:37:56 -05:00
command.h	sctp: handle association restarts when the socket is closed.	2014-10-06 00:21:45 -04:00
constants.h	net: sctp: Rename SCTP_XMIT_NAGLE_DELAY to SCTP_XMIT_DELAY	2014-07-22 13:32:11 -07:00
sctp.h	sctp: fix the check for _sctp_walk_params and _sctp_walk_errors	2017-08-11 09:08:55 -07:00
sm.h	new helper: memcpy_from_msg()	2014-11-24 04:28:48 -05:00
structs.h	sctp: start t5 timer only when peer rwnd is 0 and local state is SHUTDOWN_PENDING	2015-12-06 22:31:51 -05:00
tsnmap.h	sctp: Fix FSF address in file headers	2013-12-06 12:37:56 -05:00
ulpevent.h	sctp: potential read out of bounds in sctp_ulpevent_type_enabled()	2017-10-21 17:09:01 +02:00
ulpqueue.h	sctp: Fix FSF address in file headers	2013-12-06 12:37:56 -05:00