d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sctp: avoid integer overflow when starting the HB timer

Browse Source 
MFC after:	3 days
Reported by:	syzbot+14b9d7c3c64208fae62f@syzkaller.appspotmail.com
This commit is contained in:
Michael Tuexen 2021-02-27 23:27:30 +01:00
parent d656ce199d
commit 70e95f0b69
1 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
sys/netinet/sctputil.c
View File

@ -2277,14 +2277,19 @@ sctp_timer_start(int t_type, struct sctp_inpcb *inp, struct sctp_tcb *stcb,
}
rndval = sctp_select_initial_TSN(&inp->sctp_ep);
jitter = rndval % to_ticks;
if (jitter >= (to_ticks >> 1)) {
to_ticks = to_ticks + (jitter - (to_ticks >> 1));
to_ticks >>= 1;
if (jitter < (UINT32_MAX - to_ticks)) {
to_ticks += jitter;
} else {
to_ticks = to_ticks - jitter;
to_ticks = UINT32_MAX;
}
if (!(net->dest_state & SCTP_ADDR_UNCONFIRMED) &&
!(net->dest_state & SCTP_ADDR_PF)) {
to_ticks += net->heart_beat_delay;
if (net->heart_beat_delay < (UINT32_MAX - to_ticks)) {
to_ticks += net->heart_beat_delay;
} else {
to_ticks = UINT32_MAX;
}
}
/*
* Now we must convert the to_ticks that are now in ms to