svn commit: r360770 - stable/11/sys/netinet

Michael Tuexen tuexen at FreeBSD.org
Thu May 7 03:44:36 UTC 2020 

Author: tuexen
Date: Thu May  7 03:44:35 2020
New Revision: 360770
URL: https://svnweb.freebsd.org/changeset/base/360770

Log:
  MFC r360193, r360209: Improve input validation ofor AUTH chunks
  
  Improve input validation when processing AUTH chunks.
  
  Thanks to Natalie Silvanovich from Google for finding and reporting the
  issue found by her in the SCTP userland stack.

Modified:
  stable/11/sys/netinet/sctp_input.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/sys/netinet/sctp_input.c
==============================================================================
--- stable/11/sys/netinet/sctp_input.c	Thu May  7 03:37:22 2020	(r360769)
+++ stable/11/sys/netinet/sctp_input.c	Thu May  7 03:44:35 2020	(r360770)
@@ -2098,7 +2098,7 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in
 	int init_offset, initack_offset, initack_limit;
 	int retval;
 	int error = 0;
-	uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE];
+	uint8_t auth_chunk_buf[SCTP_CHUNK_BUFFER_SIZE];
 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 	struct socket *so;
 
@@ -2277,8 +2277,11 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in
 	if (auth_skipped) {
 		struct sctp_auth_chunk *auth;
 
-		auth = (struct sctp_auth_chunk *)
-		    sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf);
+		if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) {
+			auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf);
+		} else {
+			auth = NULL;
+		}
 		if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) {
 			/* auth HMAC failed, dump the assoc and packet */
 			SCTPDBG(SCTP_DEBUG_AUTH1,
@@ -4671,11 +4674,13 @@ sctp_process_control(struct mbuf *m, int iphlen, int *
 			if (auth_skipped && (stcb != NULL)) {
 				struct sctp_auth_chunk *auth;
 
-				auth = (struct sctp_auth_chunk *)
-				    sctp_m_getptr(m, auth_offset,
-				    auth_len, chunk_buf);
-				got_auth = 1;
-				auth_skipped = 0;
+				if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) {
+					auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, chunk_buf);
+					got_auth = 1;
+					auth_skipped = 0;
+				} else {
+					auth = NULL;
+				}
 				if ((auth == NULL) || sctp_handle_auth(stcb, auth, m,
 				    auth_offset)) {
 					/* auth HMAC failed so dump it */

More information about the svn-src-stable mailing list