aboutsummaryrefslogtreecommitdiffstats
path: root/sys/netinet/sctp_input.c
diff options
context:
space:
mode:
authorMichael Tuexen <tuexen@FreeBSD.org>2020-05-07 03:44:35 +0000
committerMichael Tuexen <tuexen@FreeBSD.org>2020-05-07 03:44:35 +0000
commitaf5fc8730c1fc5c416d737452cd7cd213b93868e (patch)
tree57af5a1b85fc1602fd705f796be84163f56e1e19 /sys/netinet/sctp_input.c
parent27ea4b5568b6deea5d8eff64f5b8f4d1250175c2 (diff)
downloadsrc-af5fc8730c1fc5c416d737452cd7cd213b93868e.tar.gz
src-af5fc8730c1fc5c416d737452cd7cd213b93868e.zip
MFC r360193, r360209: Improve input validation ofor AUTH chunks
Improve input validation when processing AUTH chunks. Thanks to Natalie Silvanovich from Google for finding and reporting the issue found by her in the SCTP userland stack.
Notes
Notes: svn path=/stable/11/; revision=360770
Diffstat (limited to 'sys/netinet/sctp_input.c')
-rw-r--r--sys/netinet/sctp_input.c21
1 files changed, 13 insertions, 8 deletions
diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c
index 5ee81f2c21e0..c8facafa42b3 100644
--- a/sys/netinet/sctp_input.c
+++ b/sys/netinet/sctp_input.c
@@ -2098,7 +2098,7 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
int init_offset, initack_offset, initack_limit;
int retval;
int error = 0;
- uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE];
+ uint8_t auth_chunk_buf[SCTP_CHUNK_BUFFER_SIZE];
#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
struct socket *so;
@@ -2277,8 +2277,11 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
if (auth_skipped) {
struct sctp_auth_chunk *auth;
- auth = (struct sctp_auth_chunk *)
- sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf);
+ if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) {
+ auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf);
+ } else {
+ auth = NULL;
+ }
if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) {
/* auth HMAC failed, dump the assoc and packet */
SCTPDBG(SCTP_DEBUG_AUTH1,
@@ -4671,11 +4674,13 @@ sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length,
if (auth_skipped && (stcb != NULL)) {
struct sctp_auth_chunk *auth;
- auth = (struct sctp_auth_chunk *)
- sctp_m_getptr(m, auth_offset,
- auth_len, chunk_buf);
- got_auth = 1;
- auth_skipped = 0;
+ if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) {
+ auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, chunk_buf);
+ got_auth = 1;
+ auth_skipped = 0;
+ } else {
+ auth = NULL;
+ }
if ((auth == NULL) || sctp_handle_auth(stcb, auth, m,
auth_offset)) {
/* auth HMAC failed so dump it */