iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Xin Long 79b28f4221 sctp: fix a potential overflow in sctp_ifwdtsn_skip 
[ Upstream commit 32832a2caf82663870126c5186cf8f86c8b2a649 ]

Currently, when traversing ifwdtsn skips with _sctp_walk_ifwdtsn, it only
checks the pos against the end of the chunk. However, the data left for
the last pos may be < sizeof(struct sctp_ifwdtsn_skip), and dereference
it as struct sctp_ifwdtsn_skip may cause coverflow.

This patch fixes it by checking the pos against "the end of the chunk -
sizeof(struct sctp_ifwdtsn_skip)" in sctp_ifwdtsn_skip, similar to
sctp_fwdtsn_skip.

Fixes: 0fc2ea922c8a ("sctp: implement validate_ftsn for sctp_stream_interleave")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Link: https://lore.kernel.org/r/2a71bffcd80b4f2c61fac6d344bb2f11c8fd74f7.1681155810.git.lucien.xin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-04-20 12:10:26 +02:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-09-15 09:50:34 +02:00
9p
9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition
2023-04-20 12:10:25 +02:00
802
mrp: introduce active flags to prevent UAF when applicant uninit
2023-01-14 10:16:18 +01:00
8021q
net: make free_netdev() more lenient with unregistering devices
2022-07-29 17:19:07 +02:00
appletalk
appletalk: Fix skb allocation size in loopback case
2021-04-07 15:00:08 +02:00
atm
net/atm: fix proc_mpc_write incorrect return value
2022-10-30 09:41:16 +01:00
ax25
net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg
2022-06-22 14:13:17 +02:00
batman-adv
batman-adv: Don't skb_split skbuffs with frag_list
2022-05-18 10:23:42 +02:00
bluetooth
Bluetooth: Fix race condition in hidp_session_thread
2023-04-20 12:10:25 +02:00
bpf
bpf: Move skb->len == 0 checks into __bpf_redirect
2023-01-14 10:15:31 +01:00
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-07-14 16:56:29 +02:00
bridge
netfilter: ebtables: fix table blob use-after-free
2023-03-11 16:40:12 +01:00
caif
net: caif: Fix use-after-free in cfusbl_device_notify()
2023-03-17 08:45:11 +01:00
can
can: isotp: isotp_ops: fix poll() to not report false EPOLLOUT events
2023-04-20 12:10:23 +02:00
ceph
libceph: fix potential use-after-free on linger ping and resends
2022-05-25 09:17:56 +02:00
core
net: don't let netpoll invoke NAPI if in xmit context
2023-04-20 12:10:21 +02:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-08 19:09:37 +01:00
dccp
dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions.
2023-02-22 12:55:57 +01:00
decnet
net: Fix data-races around sysctl_[rw]mem(_offset)?.
2022-08-31 17:15:19 +02:00
dns_resolver
dsa
net: dsa: ksz: Check return value
2022-12-14 11:32:01 +01:00
ethernet
ethtool
net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats
2023-01-24 07:19:55 +01:00
hsr
hsr: ratelimit only when errors are printed
2023-04-05 11:23:52 +02:00
ieee802154
net: ieee802154: fix error return code in dgram_bind()
2022-11-03 23:57:51 +09:00
ife
ipv4
tcp: restrict net.ipv4.tcp_app_win
2023-04-20 12:10:26 +02:00
ipv6
ipv6: Fix an uninit variable access bug in __ip6_make_skb()
2023-04-20 12:10:21 +02:00
iucv
net/iucv: Fix size of interrupt data
2023-03-22 13:30:00 +01:00
kcm
kcm: close race conditions on sk_receive_queue
2022-11-25 17:45:56 +01:00
key
af_key: Fix send_acquire race with pfkey_register
2022-12-02 17:39:58 +01:00
l2tp
l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()
2023-03-11 16:39:29 +01:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 13:53:50 +02:00
lapb
net: lapb: Copy the skb before sending a packet
2021-02-10 09:29:14 +01:00
llc
llc: only change llc->dev when bind() succeeds
2022-03-28 09:57:10 +02:00
mac80211
wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta
2023-04-20 12:10:21 +02:00
mac802154
mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
2022-12-14 11:32:01 +01:00
mpls
net: mpls: fix stale pointer if allocation fails during device rename
2023-02-22 12:55:58 +01:00
mptcp
mptcp: avoid setting TCP_CLOSE state twice
2023-03-22 13:30:04 +01:00
ncsi
net/ncsi: check for error return from call to nla_put_u32
2022-01-05 12:40:32 +01:00
netfilter
netfilter: nft_redir: correct value of inet type .maxattrs
2023-03-22 13:29:57 +01:00
netlabel
netlabel: fix out-of-bounds memory accesses
2022-04-13 21:01:00 +02:00
netlink
netlink: annotate data races around sk_state
2023-02-01 08:23:24 +01:00
netrom
netrom: Fix use-after-free caused by accept on already connected socket
2023-02-15 17:22:12 +01:00
nfc
nfc: change order inside nfc_se_io error path
2023-03-17 08:45:07 +01:00
nsh
openvswitch
net: openvswitch: fix possible memory leak in ovs_meter_cmd_set()
2023-02-22 12:55:57 +01:00
packet
net/af_packet: make sure to pull mac header
2023-01-14 10:16:29 +01:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:25:01 +01:00
psample
net: psample: Fix netlink skb length with tunnel info
2021-03-07 12:34:07 +01:00
qrtr
net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()
2023-04-20 12:10:26 +02:00
rds
rds: rds_rm_zerocopy_callback() correct order for list_add_tail()
2023-03-11 16:39:26 +01:00
rfkill
rfkill: Fix use-after-free in rfkill_resume()
2020-11-12 09:18:06 +01:00
rose
net/rose: Fix to not accept on connected socket
2023-02-22 12:55:53 +01:00
rxrpc
rxrpc: Fix missing unlock in rxrpc_do_sendmsg()
2023-01-14 10:16:12 +01:00
sched
net/sched: act_sample: fix action bind logic
2023-03-11 16:40:13 +01:00
sctp
sctp: fix a potential overflow in sctp_ifwdtsn_skip
2023-04-20 12:10:26 +02:00
smc
net/smc: fix deadlock triggered by cancel_delayed_work_syn()
2023-03-22 13:29:58 +01:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-18 14:04:27 +01:00
sunrpc
sunrpc: only free unix grouplist after RCU settles
2023-04-20 12:10:22 +02:00
switchdev
net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP
2021-02-07 15:37:12 +01:00
tipc
tipc: fix unexpected link reset due to discovery messages
2023-01-18 11:44:58 +01:00
tls
net: tls: fix possible race condition between do_tls_getsockopt_conf() and do_tls_setsockopt_conf()
2023-04-05 11:23:31 +02:00
unix
af_unix: Get user_ns from in_skb in unix_diag_get_exact().
2022-12-14 11:32:01 +01:00
vmw_vsock
net: vmw_vsock: vmci: Check memcpy_from_msg()
2023-01-14 10:15:42 +01:00
wimax
wireless
wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext"
2023-03-13 10:19:36 +01:00
x25
net/x25: Fix to not accept on connected socket
2023-02-15 17:22:15 +01:00
xdp
xsk: Add missing overflow check in xdp_umem_reg
2023-04-05 11:23:32 +02:00
xfrm
xfrm: Allow transport-mode states with AF_UNSPEC selector
2023-03-22 13:29:55 +01:00
compat.c
net: Return the correct errno code
2021-06-18 10:00:06 +02:00
devres.c
Kconfig
Makefile
socket.c
net: remove cmsg restriction from io_uring based send/recvmsg calls
2023-01-04 11:39:24 +01:00
sysctl_net.c