d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix an off-by-one error in the input validation of the SCTP_RESET_STREAMS

Browse Source 
socketoption.

This was found by running syzkaller.

MFC after:		3 days
This commit is contained in:
tuexen 2019-02-05 10:13:51 +00:00
parent 0086006e74
commit 78654493eb
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sys/netinet/sctp_usrreq.c
View File

@ -4654,13 +4654,13 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize,
} }
for (i = 0; i < strrst->srs_number_streams; i++) { for (i = 0; i < strrst->srs_number_streams; i++) {
if ((send_in) && if ((send_in) &&
(strrst->srs_stream_list[i] > stcb->asoc.streamincnt)) { (strrst->srs_stream_list[i] >= stcb->asoc.streamincnt)) {
SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL); SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
error = EINVAL; error = EINVAL;
break; break;
} }
if ((send_out) && if ((send_out) &&
(strrst->srs_stream_list[i] > stcb->asoc.streamoutcnt)) { (strrst->srs_stream_list[i] >= stcb->asoc.streamoutcnt)) {
SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL); SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
error = EINVAL; error = EINVAL;
break; break;