The branch main has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=218e463b85c4b78af93583cfc3d95a1cab8408bf
commit 218e463b85c4b78af93583cfc3d95a1cab8408bf Author: Michael Tuexen <[email protected]> AuthorDate: 2022-03-29 23:22:20 +0000 Commit: Michael Tuexen <[email protected]> CommitDate: 2022-03-29 23:22:20 +0000 sctp: ensure that ASCONF chunks are not too large MFC after: 3 days --- sys/netinet/sctp_asconf.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/sys/netinet/sctp_asconf.c b/sys/netinet/sctp_asconf.c index 411440468856..a4457471410e 100644 --- a/sys/netinet/sctp_asconf.c +++ b/sys/netinet/sctp_asconf.c @@ -2561,7 +2561,7 @@ sctp_compose_asconf(struct sctp_tcb *stcb, int *retlen, int addr_locked) struct sctp_asconf_chunk *acp; struct sctp_asconf_paramhdr *aph; struct sctp_asconf_addr_param *aap; - uint32_t p_length; + uint32_t p_length, overhead; uint32_t correlation_id = 1; /* 0 is reserved... */ caddr_t ptr, lookup_ptr; uint8_t lookup_used = 0; @@ -2574,6 +2574,20 @@ sctp_compose_asconf(struct sctp_tcb *stcb, int *retlen, int addr_locked) if (aa == NULL) return (NULL); + /* Consider IP header and SCTP common header. */ + if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) { + overhead = SCTP_MIN_OVERHEAD; + } else { + overhead = SCTP_MIN_V4_OVERHEAD; + } + /* Consider ASONF chunk. */ + overhead += sizeof(struct sctp_asconf_chunk); + /* Consider AUTH chunk. */ + overhead += sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id); + if (stcb->asoc.smallest_mtu <= overhead) { + /* MTU too small. */ + return (NULL); + } /* * get a chunk header mbuf and a cluster for the asconf params since * it's simpler to fill in the asconf chunk header lookup address on @@ -2615,7 +2629,7 @@ sctp_compose_asconf(struct sctp_tcb *stcb, int *retlen, int addr_locked) /* get the parameter length */ p_length = SCTP_SIZE32(aa->ap.aph.ph.param_length); /* will it fit in current chunk? */ - if ((SCTP_BUF_LEN(m_asconf) + p_length > stcb->asoc.smallest_mtu) || + if ((SCTP_BUF_LEN(m_asconf) + p_length > stcb->asoc.smallest_mtu - overhead) || (SCTP_BUF_LEN(m_asconf) + p_length > MCLBYTES)) { /* won't fit, so we're done with this chunk */ break;
