The branch main has been updated by tuexen:
URL:
https://cgit.FreeBSD.org/src/commit/?id=ca0dd19f09335496390829851862c894f89a87f9
commit ca0dd19f09335496390829851862c894f89a87f9
Author: Michael Tuexen <tue...@freebsd.org>
AuthorDate: 2021-12-28 08:40:52 +0000
Commit: Michael Tuexen <tue...@freebsd.org>
CommitDate: 2021-12-28 08:40:52 +0000
sctp: check that the computed frag point is a multiple of 4
Reported by: syzbot+5da189fc1fe80b31f...@syzkaller.appspotmail.com
MFC after: 3 days
---
sys/netinet/sctp_output.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c
index f6597bc6cbdc..e77517de2973 100644
--- a/sys/netinet/sctp_output.c
+++ b/sys/netinet/sctp_output.c
@@ -6246,13 +6246,12 @@ sctp_get_frag_point(struct sctp_tcb *stcb)
if (asoc->smallest_mtu % 4) {
overhead += (asoc->smallest_mtu % 4);
}
- KASSERT(overhead % 4 == 0,
- ("overhead (%u) not a multiple of 4", overhead));
KASSERT(asoc->smallest_mtu > overhead,
("Association MTU (%u) too small for overhead (%u)",
asoc->smallest_mtu, overhead));
-
frag_point = asoc->smallest_mtu - overhead;
+ KASSERT(frag_point % 4 == 0,
+ ("frag_point (%u) not a multiple of 4", frag_point));
/* Honor MAXSEG socket option. */
if ((asoc->sctp_frag_point > 0) &&
(asoc->sctp_frag_point < frag_point)) {
