1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0065
3 --- a/net/sctp/sm_statefuns.c
4 +++ b/net/sctp/sm_statefuns.c
5 @@ -3569,6 +3569,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
7 struct sctp_chunk *chunk = arg;
8 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
9 + struct sctp_fwdtsn_skip *skip;
13 @@ -3598,6 +3599,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(c
14 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
17 + /* Silently discard the chunk if stream-id is not valid */
18 + sctp_walk_fwdtsn(skip, chunk) {
19 + if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
20 + goto discard_noforce;
23 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
24 if (len > sizeof(struct sctp_fwdtsn_hdr))
25 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,
26 @@ -3629,6 +3636,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
28 struct sctp_chunk *chunk = arg;
29 struct sctp_fwdtsn_hdr *fwdtsn_hdr;
30 + struct sctp_fwdtsn_skip *skip;
34 @@ -3658,6 +3666,12 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_f
35 if (sctp_tsnmap_check(&asoc->peer.tsn_map, tsn) < 0)
38 + /* Silently discard the chunk if stream-id is not valid */
39 + sctp_walk_fwdtsn(skip, chunk) {
40 + if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
44 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_FWDTSN, SCTP_U32(tsn));
45 if (len > sizeof(struct sctp_fwdtsn_hdr))
46 sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_FWDTSN,