aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Tuexen <tuexen@FreeBSD.org>2020-05-07 03:44:35 +0000
committerMichael Tuexen <tuexen@FreeBSD.org>2020-05-07 03:44:35 +0000
commitaf5fc8730c1fc5c416d737452cd7cd213b93868e (patch)
tree57af5a1b85fc1602fd705f796be84163f56e1e19
parent27ea4b5568b6deea5d8eff64f5b8f4d1250175c2 (diff)
downloadsrc-af5fc8730c1fc5c416d737452cd7cd213b93868e.tar.gz
src-af5fc8730c1fc5c416d737452cd7cd213b93868e.zip
MFC r360193, r360209: Improve input validation ofor AUTH chunks
Improve input validation when processing AUTH chunks. Thanks to Natalie Silvanovich from Google for finding and reporting the issue found by her in the SCTP userland stack.
Notes
Notes: svn path=/stable/11/; revision=360770
-rw-r--r--sys/netinet/sctp_input.c21
1 files changed, 13 insertions, 8 deletions
diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c
index 5ee81f2c21e0..c8facafa42b3 100644
--- a/sys/netinet/sctp_input.c
+++ b/sys/netinet/sctp_input.c
@@ -2098,7 +2098,7 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
int init_offset, initack_offset, initack_limit;
int retval;
int error = 0;
- uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE];
+ uint8_t auth_chunk_buf[SCTP_CHUNK_BUFFER_SIZE];
#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
struct socket *so;
@@ -2277,8 +2277,11 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
if (auth_skipped) {
struct sctp_auth_chunk *auth;
- auth = (struct sctp_auth_chunk *)
- sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf);
+ if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) {
+ auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf);
+ } else {
+ auth = NULL;
+ }
if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) {
/* auth HMAC failed, dump the assoc and packet */
SCTPDBG(SCTP_DEBUG_AUTH1,
@@ -4671,11 +4674,13 @@ sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length,
if (auth_skipped && (stcb != NULL)) {
struct sctp_auth_chunk *auth;
- auth = (struct sctp_auth_chunk *)
- sctp_m_getptr(m, auth_offset,
- auth_len, chunk_buf);
- got_auth = 1;
- auth_skipped = 0;
+ if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) {
+ auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, chunk_buf);
+ got_auth = 1;
+ auth_skipped = 0;
+ } else {
+ auth = NULL;
+ }
if ((auth == NULL) || sctp_handle_auth(stcb, auth, m,
auth_offset)) {
/* auth HMAC failed so dump it */