Limit the user-controllable amount of memory the kernel allocates
via IPPROTO_SCTP level socket options. This issue was found by running syzkaller. MFC after: 1 week
This commit is contained in:
parent
a461b7e5db
commit
d9ba240c1c
sys/netinet
@ -983,6 +983,9 @@ __FBSDID("$FreeBSD$");
|
||||
((((uint8_t *)&(a)->s_addr)[0] == 169) && \
|
||||
(((uint8_t *)&(a)->s_addr)[1] == 254))
|
||||
|
||||
/* Maximum size of optval for IPPROTO_SCTP level socket options. */
|
||||
#define SCTP_SOCKET_OPTION_LIMIT (64 * 1024)
|
||||
|
||||
|
||||
#if defined(_KERNEL)
|
||||
#define SCTP_GETTIME_TIMEVAL(x) (getmicrouptime(x))
|
||||
|
@ -6828,6 +6828,10 @@ sctp_ctloutput(struct socket *so, struct sockopt *sopt)
|
||||
return (error);
|
||||
}
|
||||
optsize = sopt->sopt_valsize;
|
||||
if (optsize > SCTP_SOCKET_OPTION_LIMIT) {
|
||||
SCTP_LTRACE_ERR_RET(so->so_pcb, NULL, NULL, SCTP_FROM_SCTP_USRREQ, ENOBUFS);
|
||||
return (ENOBUFS);
|
||||
}
|
||||
if (optsize) {
|
||||
SCTP_MALLOC(optval, void *, optsize, SCTP_M_SOCKOPT);
|
||||
if (optval == NULL) {
|
||||
|
Loading…
x
Reference in New Issue
Block a user