svn commit: r360209 - head/sys/netinet

Wed, 22 Apr 2020 14:23:05 -0700 

Author: tuexen
Date: Wed Apr 22 21:22:33 2020
New Revision: 360209
URL: https://svnweb.freebsd.org/changeset/base/360209

Log:
  Improve input validation when processing AUTH chunks.
  
  Thanks to Natalie Silvanovich from Google for finding and reporting the
  issue found by her in the SCTP userland stack.
  
  MFC after:            3 days
  X-MFC with:           https://svnweb.freebsd.org/changeset/base/360193

Modified:
  head/sys/netinet/sctp_input.c

Modified: head/sys/netinet/sctp_input.c
==============================================================================
--- head/sys/netinet/sctp_input.c       Wed Apr 22 21:15:26 2020        
(r360208)
+++ head/sys/netinet/sctp_input.c       Wed Apr 22 21:22:33 2020        
(r360209)
@@ -2094,7 +2094,7 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in
        int init_offset, initack_offset, initack_limit;
        int retval;
        int error = 0;
-       uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE];
+       uint8_t auth_chunk_buf[SCTP_CHUNK_BUFFER_SIZE];
 #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
        struct socket *so;
 
@@ -2273,7 +2273,7 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in
        if (auth_skipped) {
                struct sctp_auth_chunk *auth;
 
-               if (auth_len <= SCTP_PARAM_BUFFER_SIZE) {
+               if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) {
                        auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, 
auth_offset, auth_len, auth_chunk_buf);
                } else {
                        auth = NULL;
@@ -4670,11 +4670,13 @@ sctp_process_control(struct mbuf *m, int iphlen, int *
                        if (auth_skipped && (stcb != NULL)) {
                                struct sctp_auth_chunk *auth;
 
-                               auth = (struct sctp_auth_chunk *)
-                                   sctp_m_getptr(m, auth_offset,
-                                   auth_len, chunk_buf);
-                               got_auth = 1;
-                               auth_skipped = 0;
+                               if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) {
+                                       auth = (struct sctp_auth_chunk 
*)sctp_m_getptr(m, auth_offset, auth_len, chunk_buf);
+                                       got_auth = 1;
+                                       auth_skipped = 0;
+                               } else {
+                                       auth = NULL;
+                               }
                                if ((auth == NULL) || sctp_handle_auth(stcb, 
auth, m,
                                    auth_offset)) {
                                        /* auth HMAC failed so dump it */
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to