diff options
author | Michael Tuexen <tuexen@fh-muenster.de> | 2020-01-02 15:00:10 +0100 |
---|---|---|
committer | Michael Tuexen <tuexen@fh-muenster.de> | 2020-01-02 15:00:10 +0100 |
commit | 0d166efa09c02d3d20d6379d31e7193178a620dc (patch) | |
tree | a1b536464a452c67e3b79003569094eb54866018 | |
parent | 790a7a2555aefb392a5a69923f1e9d17b4968467 (diff) | |
download | usrsctp-0d166efa09c02d3d20d6379d31e7193178a620dc.tar.gz |
Improve input validation of the spp_pathmtu field in the
SCTP_PEER_ADDR_PARAMS socket option. The code in the stack assumes
sane values for the MTU.
This issue was found by running an instance of syzkaller.
-rwxr-xr-x | usrsctplib/netinet/sctp.h | 8 | ||||
-rwxr-xr-x | usrsctplib/netinet/sctp_usrreq.c | 18 |
2 files changed, 18 insertions, 8 deletions
diff --git a/usrsctplib/netinet/sctp.h b/usrsctplib/netinet/sctp.h index 4a7c12d4..ee5c0ba1 100755 --- a/usrsctplib/netinet/sctp.h +++ b/usrsctplib/netinet/sctp.h @@ -1,3 +1,4 @@ + /*- * SPDX-License-Identifier: BSD-3-Clause * @@ -34,7 +35,7 @@ #ifdef __FreeBSD__ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: head/sys/netinet/sctp.h 345461 2019-03-23 22:56:03Z tuexen $"); +__FBSDID("$FreeBSD: head/sys/netinet/sctp.h 356270 2020-01-02 13:55:10Z tuexen $"); #endif #ifndef _NETINET_SCTP_H_ @@ -609,7 +610,10 @@ struct sctp_error_auth_invalid_hmac { #define SCTP_MOBILITY_PRIM_DELETED 0x00000004 -#define SCTP_SMALLEST_PMTU 512 /* smallest pmtu allowed when disabling PMTU discovery */ +/* Smallest PMTU allowed when disabling PMTU discovery */ +#define SCTP_SMALLEST_PMTU 512 +/* Largest PMTU allowed when disabling PMTU discovery */ +#define SCTP_LARGEST_PMTU 65536 #if defined(__Userspace_os_Windows) #pragma pack(pop) diff --git a/usrsctplib/netinet/sctp_usrreq.c b/usrsctplib/netinet/sctp_usrreq.c index c10dabb8..6a19f62a 100755 --- a/usrsctplib/netinet/sctp_usrreq.c +++ b/usrsctplib/netinet/sctp_usrreq.c @@ -34,7 +34,7 @@ #ifdef __FreeBSD__ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: head/sys/netinet/sctp_usrreq.c 355265 2019-12-01 17:35:36Z tuexen $"); +__FBSDID("$FreeBSD: head/sys/netinet/sctp_usrreq.c 356270 2020-01-02 13:55:10Z tuexen $"); #endif #include <netinet/sctp_os.h> @@ -6210,6 +6210,14 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize, SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL); return (EINVAL); } + if ((paddrp->spp_flags & SPP_PMTUD_DISABLE) && + ((paddrp->spp_pathmtu < SCTP_SMALLEST_PMTU) || + (paddrp->spp_pathmtu > SCTP_LARGEST_PMTU))) { + if (stcb) + SCTP_TCB_UNLOCK(stcb); + SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL); + return (EINVAL); + } if (stcb != NULL) { /************************TCB SPECIFIC SET ******************/ @@ -6241,7 +6249,7 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize, sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); } } - if ((paddrp->spp_flags & SPP_PMTUD_DISABLE) && (paddrp->spp_pathmtu >= SCTP_SMALLEST_PMTU)) { + if (paddrp->spp_flags & SPP_PMTUD_DISABLE) { if (SCTP_OS_TIMER_PENDING(&net->pmtu_timer.timer)) { sctp_timer_stop(SCTP_TIMER_TYPE_PATHMTURAISE, inp, stcb, net, SCTP_FROM_SCTP_USRREQ + SCTP_LOC_11); @@ -6388,7 +6396,7 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize, } sctp_stcb_feature_on(inp, stcb, SCTP_PCB_FLAGS_DONOT_HEARTBEAT); } - if ((paddrp->spp_flags & SPP_PMTUD_DISABLE) && (paddrp->spp_pathmtu >= SCTP_SMALLEST_PMTU)) { + if (paddrp->spp_flags & SPP_PMTUD_DISABLE) { TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { if (SCTP_OS_TIMER_PENDING(&net->pmtu_timer.timer)) { sctp_timer_stop(SCTP_TIMER_TYPE_PATHMTURAISE, inp, stcb, net, @@ -6491,9 +6499,7 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize, inp->sctp_ep.default_mtu = 0; sctp_feature_off(inp, SCTP_PCB_FLAGS_DO_NOT_PMTUD); } else if (paddrp->spp_flags & SPP_PMTUD_DISABLE) { - if (paddrp->spp_pathmtu >= SCTP_SMALLEST_PMTU) { - inp->sctp_ep.default_mtu = paddrp->spp_pathmtu; - } + inp->sctp_ep.default_mtu = paddrp->spp_pathmtu; sctp_feature_on(inp, SCTP_PCB_FLAGS_DO_NOT_PMTUD); } if (paddrp->spp_flags & SPP_DSCP) { |