diff options
| author | Michael Tuexen <tuexen@fh-muenster.de> | 2020-04-22 23:26:34 +0200 |
|---|---|---|
| committer | Michael Tuexen <tuexen@fh-muenster.de> | 2020-04-22 23:26:34 +0200 |
| commit | 858d2f73019f73bd2c1691bab75c2022640b82e7 (patch) | |
| tree | e9438aeade990dbd4037c41a533414ca316b8135 | |
| parent | e1dd9bea4f438abf4d4c3b658f1db8f013157184 (diff) | |
| download | usrsctp-858d2f73019f73bd2c1691bab75c2022640b82e7.tar.gz | |
Improve input validation when processing AUTH chunks.
Thanks to Natalie Silvanovich from Google for finding and reporting the
issue found by her in the SCTP userland stack.
| -rwxr-xr-x | usrsctplib/netinet/sctp_input.c | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/usrsctplib/netinet/sctp_input.c b/usrsctplib/netinet/sctp_input.c index 64303939..f1216d5a 100755 --- a/usrsctplib/netinet/sctp_input.c +++ b/usrsctplib/netinet/sctp_input.c @@ -34,7 +34,7 @@ #ifdef __FreeBSD__ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: head/sys/netinet/sctp_input.c 360193 2020-04-22 12:47:46Z tuexen $"); +__FBSDID("$FreeBSD: head/sys/netinet/sctp_input.c 360209 2020-04-22 21:22:33Z tuexen $"); #endif #include <netinet/sctp_os.h> @@ -2182,7 +2182,7 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, int init_offset, initack_offset, initack_limit; int retval; int error = 0; - uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE]; + uint8_t auth_chunk_buf[SCTP_CHUNK_BUFFER_SIZE]; #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) struct socket *so; @@ -2377,7 +2377,7 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, if (auth_skipped) { struct sctp_auth_chunk *auth; - if (auth_len <= SCTP_PARAM_BUFFER_SIZE) { + if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) { auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); } else { auth = NULL; @@ -4849,11 +4849,13 @@ sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length, if (auth_skipped && (stcb != NULL)) { struct sctp_auth_chunk *auth; - auth = (struct sctp_auth_chunk *) - sctp_m_getptr(m, auth_offset, - auth_len, chunk_buf); - got_auth = 1; - auth_skipped = 0; + if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) { + auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, chunk_buf); + got_auth = 1; + auth_skipped = 0; + } else { + auth = NULL; + } if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) { /* auth HMAC failed so dump it */ |