[PATCH net v4] sctp: fix a potential OOB access in sctp_sched_set_sched()
From: Gavrilov Ilia
Date: Wed May 03 2023 - 09:38:08 EST
The 'sched' index value must be checked before accessing an element
of the 'sctp_sched_ops' array. Otherwise, it can lead to OOB access.
Note that it's harmless since the 'sched' parameter is checked before
calling 'sctp_sched_set_sched'.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Reviewed-by: Xin Long <lucien.xin@xxxxxxxxx>
Reviewed-by: Simon Horman <simon.horman@xxxxxxxxxxxx>
Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@xxxxxxxxxxx>
---
V2:
- Change the order of local variables
- Specify the target tree in the subject
V3:
- Change description
- Remove 'fixes'
V4:
- revert to V2
net/sctp/stream_sched.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c
index 330067002deb..4d076a9b8592 100644
--- a/net/sctp/stream_sched.c
+++ b/net/sctp/stream_sched.c
@@ -146,18 +146,19 @@ static void sctp_sched_free_sched(struct sctp_stream *stream)
int sctp_sched_set_sched(struct sctp_association *asoc,
enum sctp_sched_type sched)
{
- struct sctp_sched_ops *n = sctp_sched_ops[sched];
struct sctp_sched_ops *old = asoc->outqueue.sched;
struct sctp_datamsg *msg = NULL;
+ struct sctp_sched_ops *n;
struct sctp_chunk *ch;
int i, ret = 0;
- if (old == n)
- return ret;
-
if (sched > SCTP_SS_MAX)
return -EINVAL;
+ n = sctp_sched_ops[sched];
+ if (old == n)
+ return ret;
+
if (old)
sctp_sched_free_sched(&asoc->stream);
--
2.30.2