usersctp is SCTP library used by a variety of software
including WebRTC. There is a vulnerability in the
sctp_load_addresses_from_init function of usersctp that can lead to
a number of out-of-bound reads. The input to
sctp_load_addresses_from_init is verified by calling
sctp_arethere_unrecognized_parameters, however there is a
difference in how these functions handle parameter bounds. The
function sctp_arethere_unrecognized_parameters does not process a
parameter that is partially outside of the limit of the chunk,
meanwhile, sctp_load_addresses_from_init will continue processing
until a parameter that is entirely outside of the chunk occurs.
This means that the last parameter of a chunk is not always
verified, which can lead to parameters with very short plen values
being processed by sctp_load_addresses_from_init. This can lead to
out-of-bounds reads whenever the plen is subtracted from the header
len.
