svn commit: r355931 - head/sys/netinet
Michael Tuexen
tuexen at FreeBSD.org
Fri Dec 20 15:25:09 UTC 2019
Author: tuexen
Date: Fri Dec 20 15:25:08 2019
New Revision: 355931
URL: https://svnweb.freebsd.org/changeset/base/355931
Log:
Improve input validation for some parameters having a too small
reported length.
Thanks to Natalie Silvanovich from Google for finding one of these
issues in the SCTP userland stack and reporting it.
MFC after: 1 week
Modified:
head/sys/netinet/sctp_auth.c
head/sys/netinet/sctp_pcb.c
Modified: head/sys/netinet/sctp_auth.c
==============================================================================
--- head/sys/netinet/sctp_auth.c Fri Dec 20 08:31:23 2019 (r355930)
+++ head/sys/netinet/sctp_auth.c Fri Dec 20 15:25:08 2019 (r355931)
@@ -1397,7 +1397,8 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, str
ptype = ntohs(phdr->param_type);
plen = ntohs(phdr->param_length);
- if ((plen == 0) || (offset + plen > length))
+ if ((plen < sizeof(struct sctp_paramhdr)) ||
+ (offset + plen > length))
break;
if (ptype == SCTP_RANDOM) {
Modified: head/sys/netinet/sctp_pcb.c
==============================================================================
--- head/sys/netinet/sctp_pcb.c Fri Dec 20 08:31:23 2019 (r355930)
+++ head/sys/netinet/sctp_pcb.c Fri Dec 20 15:25:08 2019 (r355931)
@@ -6202,7 +6202,7 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, s
if (offset + plen > limit) {
break;
}
- if (plen == 0) {
+ if (plen < sizeof(struct sctp_paramhdr)) {
break;
}
#ifdef INET
@@ -6427,6 +6427,9 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, s
}
if (plen > sizeof(lstore)) {
return (-23);
+ }
+ if (plen < sizeof(struct sctp_asconf_addrv4_param)) {
+ return (-101);
}
phdr = sctp_get_next_param(m, offset,
(struct sctp_paramhdr *)&lstore,
More information about the svn-src-head
mailing list