Ensure that the list of streams sent in a stream reset parameter fits

in an mbuf-cluster.
Thanks to Peter Bostroem for drawing my attention to this part of the code.
This commit is contained in:
Michael Tuexen 2014-10-08 15:30:59 +00:00
parent e29127de2e
commit 9ba6106020
2 changed files with 11 additions and 3 deletions

View File

@ -11846,7 +11846,7 @@ sctp_add_an_in_stream(struct sctp_tmit_chunk *chk,
int
sctp_send_str_reset_req(struct sctp_tcb *stcb,
int number_entries, uint16_t * list,
uint16_t number_entries, uint16_t * list,
uint8_t send_out_req,
uint8_t send_in_req,
uint8_t send_tsn_req,
@ -11879,6 +11879,14 @@ sctp_send_str_reset_req(struct sctp_tcb *stcb,
SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL);
return (EINVAL);
}
if (number_entries > (MCLBYTES -
SCTP_MIN_OVERHEAD -
sizeof(struct sctp_chunkhdr) -
sizeof(struct sctp_stream_reset_out_request)) /
sizeof(uint16_t)) {
SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);
return (ENOMEM);
}
sctp_alloc_a_chunk(stcb, chk);
if (chk == NULL) {
SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM);

View File

@ -181,8 +181,8 @@ sctp_add_stream_reset_result_tsn(struct sctp_tmit_chunk *,
uint32_t, uint32_t, uint32_t, uint32_t);
int
sctp_send_str_reset_req(struct sctp_tcb *, int, uint16_t *, uint8_t, uint8_t,
uint8_t, uint8_t, uint16_t, uint16_t, uint8_t);
sctp_send_str_reset_req(struct sctp_tcb *, uint16_t, uint16_t *, uint8_t,
uint8_t, uint8_t, uint8_t, uint16_t, uint16_t, uint8_t);
void
sctp_send_abort(struct mbuf *, int, struct sockaddr *, struct sockaddr *,