svn commit: r320264 - head/sys/netinet

Michael Tuexen tuexen at FreeBSD.org
Fri Jun 23 10:09:50 UTC 2017


Author: tuexen
Date: Fri Jun 23 10:09:49 2017
New Revision: 320264
URL: https://svnweb.freebsd.org/changeset/base/320264

Log:
  Check the length of a COOKIE chunk before accessing fields in it.
  
  Thanks to Felix Weinrank for reporting the issue he found by using
  libFuzzer.
  
  MFC after:	3 days

Modified:
  head/sys/netinet/sctp_input.c

Modified: head/sys/netinet/sctp_input.c
==============================================================================
--- head/sys/netinet/sctp_input.c	Fri Jun 23 09:27:31 2017	(r320263)
+++ head/sys/netinet/sctp_input.c	Fri Jun 23 10:09:49 2017	(r320264)
@@ -2441,6 +2441,12 @@ sctp_handle_cookie_echo(struct mbuf *m, int iphlen, in
 	cookie_offset = offset + sizeof(struct sctp_chunkhdr);
 	cookie_len = ntohs(cp->ch.chunk_length);
 
+	if (cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
+	    sizeof(struct sctp_init_chunk) +
+	    sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
+		/* cookie too small */
+		return (NULL);
+	}
 	if ((cookie->peerport != sh->src_port) ||
 	    (cookie->myport != sh->dest_port) ||
 	    (cookie->my_vtag != sh->v_tag)) {
@@ -2451,12 +2457,6 @@ sctp_handle_cookie_echo(struct mbuf *m, int iphlen, in
 		 * This maintains the match even though it may be in the
 		 * opposite byte order of the machine :->
 		 */
-		return (NULL);
-	}
-	if (cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
-	    sizeof(struct sctp_init_chunk) +
-	    sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
-		/* cookie too small */
 		return (NULL);
 	}
 	/*


More information about the svn-src-all mailing list