sctp: fix a potential OOB access in sctp_sched_set_sched()

The 'sched' index value must be checked before accessing an element
of the 'sctp_sched_ops' array. Otherwise, it can lead to OOB access.

Note that it's harmless since the 'sched' parameter is checked before
calling 'sctp_sched_set_sched'.

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.

Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c
index e843760..54afbe4 100644 (file)
--- a/net/sctp/stream_sched.c
+++ b/net/sctp/stream_sched.c
@@ -148,18 +148,19 @@ static void sctp_sched_free_sched(struct sctp_stream *stream)
 int sctp_sched_set_sched(struct sctp_association *asoc,
                         enum sctp_sched_type sched)
 {
-       struct sctp_sched_ops *n = sctp_sched_ops[sched];
        struct sctp_sched_ops *old = asoc->outqueue.sched;
        struct sctp_datamsg *msg = NULL;
+       struct sctp_sched_ops *n;
        struct sctp_chunk *ch;
        int i, ret = 0;
 
-       if (old == n)
-               return ret;
-
        if (sched > SCTP_SS_MAX)
                return -EINVAL;
 
+       n = sctp_sched_ops[sched];
+       if (old == n)
+               return ret;
+
        if (old)
                sctp_sched_free_sched(&asoc->stream);