git: f7b539eb6d83 - stable/13 - sctp: improve handling of illegal packets containing INIT chunks
Michael Tuexen
tuexen at FreeBSD.org
Sun Jun 6 23:28:50 UTC 2021
The branch stable/13 has been updated by tuexen:
URL: https://cgit.FreeBSD.org/src/commit/?id=f7b539eb6d8331daefbb9faa01973b76923cb44d
commit f7b539eb6d8331daefbb9faa01973b76923cb44d
Author: Michael Tuexen <tuexen at FreeBSD.org>
AuthorDate: 2021-04-26 08:38:05 +0000
Commit: Michael Tuexen <tuexen at FreeBSD.org>
CommitDate: 2021-06-02 21:40:11 +0000
sctp: improve handling of illegal packets containing INIT chunks
Stop further processing of a packet when detecting that it
contains an INIT chunk, which is too small or is not the only
chunk in the packet. Still allow to finish the processing
of chunks before the INIT chunk.
Thanks to Antoly Korniltsev and Taylor Brandstetter for reporting
an issue with the userland stack, which made me aware of this
issue.
(cherry picked from commit c70d1ef15db0d994eff4a2c4d9feabdc46bff1c6)
---
sys/netinet/sctp_input.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c
index 5b4c3152da0d..c70358f0af07 100644
--- a/sys/netinet/sctp_input.c
+++ b/sys/netinet/sctp_input.c
@@ -4611,10 +4611,7 @@ process_control_chunks:
chunk_buf);
if (ch == NULL) {
*offset = length;
- if (stcb != NULL) {
- SCTP_TCB_UNLOCK(stcb);
- }
- return (NULL);
+ return (stcb);
}
num_chunks++;
@@ -4648,12 +4645,12 @@ process_control_chunks:
/* The INIT chunk must be the only chunk. */
if ((num_chunks > 1) ||
(length - *offset > (int)SCTP_SIZE32(chk_length))) {
- /* RFC 4960 requires that no ABORT is sent */
+ /*
+ * RFC 4960bis requires stopping the
+ * processing of the packet.
+ */
*offset = length;
- if (stcb != NULL) {
- SCTP_TCB_UNLOCK(stcb);
- }
- return (NULL);
+ return (stcb);
}
/* Honor our resource limit. */
if (chk_length > SCTP_LARGEST_INIT_ACCEPTED) {
More information about the dev-commits-src-all
mailing list