svn commit: r334532 - head/sys/netinet

Michael Tuexen tuexen at FreeBSD.org
Sat Jun 2 16:28:12 UTC 2018


Author: tuexen
Date: Sat Jun  2 16:28:10 2018
New Revision: 334532
URL: https://svnweb.freebsd.org/changeset/base/334532

Log:
  Don't overflow a buffer if we receive an INIT or INIT-ACK chunk
  without a RANDOM parameter but with a CHUNKS or HMAC-ALGO parameter.
  Please note that sending this combination violates the specification.
  
  Thnanks to Ronald E. Crane for reporting the issue for the userland
  stack.
  
  MFC after:	3 days

Modified:
  head/sys/netinet/sctp_auth.c
  head/sys/netinet/sctp_pcb.c

Modified: head/sys/netinet/sctp_auth.c
==============================================================================
--- head/sys/netinet/sctp_auth.c	Sat Jun  2 15:52:18 2018	(r334531)
+++ head/sys/netinet/sctp_auth.c	Sat Jun  2 16:28:10 2018	(r334532)
@@ -1504,6 +1504,8 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, str
 		if (p_random != NULL) {
 			keylen = sizeof(*p_random) + random_len;
 			memcpy(new_key->key, p_random, keylen);
+		} else {
+			keylen = 0;
 		}
 		/* append in the AUTH chunks */
 		if (chunks != NULL) {

Modified: head/sys/netinet/sctp_pcb.c
==============================================================================
--- head/sys/netinet/sctp_pcb.c	Sat Jun  2 15:52:18 2018	(r334531)
+++ head/sys/netinet/sctp_pcb.c	Sat Jun  2 16:28:10 2018	(r334532)
@@ -6704,6 +6704,8 @@ next_param:
 		if (p_random != NULL) {
 			keylen = sizeof(*p_random) + random_len;
 			memcpy(new_key->key, p_random, keylen);
+		} else {
+			keylen = 0;
 		}
 		/* append in the AUTH chunks */
 		if (chunks != NULL) {


More information about the svn-src-head mailing list