Author: tuexen Date: Wed Jun 6 22:34:20 2018 New Revision: 334743 URL: https://svnweb.freebsd.org/changeset/base/334743
Log: MFstable/11 334732: Don't overflow a buffer if we receive an INIT or INIT-ACK chunk without a RANDOM parameter but with a CHUNKS or HMAC-ALGO parameter. Please note that sending this combination violates the specification. Thanks to Ronald E. Crane for reporting the issue for the userland stack. Approved by: re (gjb@) Modified: releng/11.2/sys/netinet/sctp_auth.c releng/11.2/sys/netinet/sctp_pcb.c Directory Properties: releng/11.2/ (props changed) Modified: releng/11.2/sys/netinet/sctp_auth.c ============================================================================== --- releng/11.2/sys/netinet/sctp_auth.c Wed Jun 6 22:29:21 2018 (r334742) +++ releng/11.2/sys/netinet/sctp_auth.c Wed Jun 6 22:34:20 2018 (r334743) @@ -1502,6 +1502,8 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, str if (p_random != NULL) { keylen = sizeof(*p_random) + random_len; memcpy(new_key->key, p_random, keylen); + } else { + keylen = 0; } /* append in the AUTH chunks */ if (chunks != NULL) { Modified: releng/11.2/sys/netinet/sctp_pcb.c ============================================================================== --- releng/11.2/sys/netinet/sctp_pcb.c Wed Jun 6 22:29:21 2018 (r334742) +++ releng/11.2/sys/netinet/sctp_pcb.c Wed Jun 6 22:34:20 2018 (r334743) @@ -6702,6 +6702,8 @@ next_param: if (p_random != NULL) { keylen = sizeof(*p_random) + random_len; memcpy(new_key->key, p_random, keylen); + } else { + keylen = 0; } /* append in the AUTH chunks */ if (chunks != NULL) { _______________________________________________ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"