git: 218e463b85c4 - main - sctp: ensure that ASCONF chunks are not too large

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Michael Tuexen <tuexen_at_FreeBSD.org>
Date: Tue, 29 Mar 2022 23:23:10 UTC
The branch main has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=218e463b85c4b78af93583cfc3d95a1cab8408bf

commit 218e463b85c4b78af93583cfc3d95a1cab8408bf
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2022-03-29 23:22:20 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2022-03-29 23:22:20 +0000

    sctp: ensure that ASCONF chunks are not too large
    
    MFC after:      3 days
---
 sys/netinet/sctp_asconf.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/sys/netinet/sctp_asconf.c b/sys/netinet/sctp_asconf.c
index 411440468856..a4457471410e 100644
--- a/sys/netinet/sctp_asconf.c
+++ b/sys/netinet/sctp_asconf.c
@@ -2561,7 +2561,7 @@ sctp_compose_asconf(struct sctp_tcb *stcb, int *retlen, int addr_locked)
 	struct sctp_asconf_chunk *acp;
 	struct sctp_asconf_paramhdr *aph;
 	struct sctp_asconf_addr_param *aap;
-	uint32_t p_length;
+	uint32_t p_length, overhead;
 	uint32_t correlation_id = 1;	/* 0 is reserved... */
 	caddr_t ptr, lookup_ptr;
 	uint8_t lookup_used = 0;
@@ -2574,6 +2574,20 @@ sctp_compose_asconf(struct sctp_tcb *stcb, int *retlen, int addr_locked)
 	if (aa == NULL)
 		return (NULL);
 
+	/* Consider IP header and SCTP common header. */
+	if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) {
+		overhead = SCTP_MIN_OVERHEAD;
+	} else {
+		overhead = SCTP_MIN_V4_OVERHEAD;
+	}
+	/* Consider ASONF chunk. */
+	overhead += sizeof(struct sctp_asconf_chunk);
+	/* Consider AUTH chunk. */
+	overhead += sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id);
+	if (stcb->asoc.smallest_mtu <= overhead) {
+		/* MTU too small. */
+		return (NULL);
+	}
 	/*
 	 * get a chunk header mbuf and a cluster for the asconf params since
 	 * it's simpler to fill in the asconf chunk header lookup address on
@@ -2615,7 +2629,7 @@ sctp_compose_asconf(struct sctp_tcb *stcb, int *retlen, int addr_locked)
 		/* get the parameter length */
 		p_length = SCTP_SIZE32(aa->ap.aph.ph.param_length);
 		/* will it fit in current chunk? */
-		if ((SCTP_BUF_LEN(m_asconf) + p_length > stcb->asoc.smallest_mtu) ||
+		if ((SCTP_BUF_LEN(m_asconf) + p_length > stcb->asoc.smallest_mtu - overhead) ||
 		    (SCTP_BUF_LEN(m_asconf) + p_length > MCLBYTES)) {
 			/* won't fit, so we're done with this chunk */
 			break;