diff options
author | Michael Tuexen <tuexen@fh-muenster.de> | 2020-04-22 14:50:10 +0200 |
---|---|---|
committer | Michael Tuexen <tuexen@fh-muenster.de> | 2020-04-22 14:50:10 +0200 |
commit | e1dd9bea4f438abf4d4c3b658f1db8f013157184 (patch) | |
tree | 35b80368b1c8ec4a48ec9448c4108c11a9b00cb3 | |
parent | 579e6dea765c593acaa8525f6280b85868c866fc (diff) | |
download | usrsctp-e1dd9bea4f438abf4d4c3b658f1db8f013157184.tar.gz |
Improve input validation when processing AUTH chunks.
Thanks to Natalie Silvanovich from Google for finding and reporting the
issue found by her in the SCTP userland stack.
-rwxr-xr-x | usrsctplib/netinet/sctp_input.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/usrsctplib/netinet/sctp_input.c b/usrsctplib/netinet/sctp_input.c index 58e7f3f4..64303939 100755 --- a/usrsctplib/netinet/sctp_input.c +++ b/usrsctplib/netinet/sctp_input.c @@ -34,7 +34,7 @@ #ifdef __FreeBSD__ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: head/sys/netinet/sctp_input.c 359405 2020-03-28 20:25:45Z tuexen $"); +__FBSDID("$FreeBSD: head/sys/netinet/sctp_input.c 360193 2020-04-22 12:47:46Z tuexen $"); #endif #include <netinet/sctp_os.h> @@ -2377,8 +2377,11 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset, if (auth_skipped) { struct sctp_auth_chunk *auth; - auth = (struct sctp_auth_chunk *) - sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); + if (auth_len <= SCTP_PARAM_BUFFER_SIZE) { + auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); + } else { + auth = NULL; + } if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) { /* auth HMAC failed, dump the assoc and packet */ SCTPDBG(SCTP_DEBUG_AUTH1, |