sctp: verify size of a new chunk in _sctp_make_chunk()

[sfrench/cifs-2.6.git] / net / sctp / sm_make_chunk.c

diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 793b05ec692be6ce89f3dc437d9dc4cb8281929d..d01475f5f710667a40b56b7fff2a939e0a37e59e 100644 (file)
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1380,9 +1380,14 @@ static struct sctp_chunk *_sctp_make_chunk(const struct sctp_association *asoc,
        struct sctp_chunk *retval;
        struct sk_buff *skb;
        struct sock *sk;
+       int chunklen;
+
+       chunklen = SCTP_PAD4(sizeof(*chunk_hdr) + paylen);
+       if (chunklen > SCTP_MAX_CHUNK_LEN)
+               goto nodata;
 
        /* No need to allocate LL here, as this is only a chunk. */
-       skb = alloc_skb(SCTP_PAD4(sizeof(*chunk_hdr) + paylen), gfp);
+       skb = alloc_skb(chunklen, gfp);
        if (!skb)
                goto nodata;