Author: tuexen
Date: Wed Jul 1 21:37:32 2020
New Revision: 362868
URL: https://svnweb.freebsd.org/changeset/base/362868
Log:
MFC r355931:
Improve input validation for some parameters having a too small
reported length.
Thanks to Natalie Silvanovich from Google for finding one of these
issues in the SCTP userland stack and reporting it.
Modified:
stable/12/sys/netinet/sctp_auth.c
stable/12/sys/netinet/sctp_pcb.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/sys/netinet/sctp_auth.c
==============================================================================
--- stable/12/sys/netinet/sctp_auth.c Wed Jul 1 21:27:33 2020
(r362867)
+++ stable/12/sys/netinet/sctp_auth.c Wed Jul 1 21:37:32 2020
(r362868)
@@ -1397,7 +1397,8 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, str
ptype = ntohs(phdr->param_type);
plen = ntohs(phdr->param_length);
- if ((plen == 0) || (offset + plen > length))
+ if ((plen < sizeof(struct sctp_paramhdr)) ||
+ (offset + plen > length))
break;
if (ptype == SCTP_RANDOM) {
Modified: stable/12/sys/netinet/sctp_pcb.c
==============================================================================
--- stable/12/sys/netinet/sctp_pcb.c Wed Jul 1 21:27:33 2020
(r362867)
+++ stable/12/sys/netinet/sctp_pcb.c Wed Jul 1 21:37:32 2020
(r362868)
@@ -6202,7 +6202,7 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, s
if (offset + plen > limit) {
break;
}
- if (plen == 0) {
+ if (plen < sizeof(struct sctp_paramhdr)) {
break;
}
#ifdef INET
@@ -6427,6 +6427,9 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, s
}
if (plen > sizeof(lstore)) {
return (-23);
+ }
+ if (plen < sizeof(struct sctp_asconf_addrv4_param)) {
+ return (-101);
}
phdr = sctp_get_next_param(m, offset,
(struct sctp_paramhdr *)&lstore,
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
