d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

When reporting ERROR or ABORT chunks, don't use more data

Browse Source 
that is guaranteed to be contigous.
Thanks to Felix Weinrank for finding and reporting this bug
by fuzzing the usrsctp stack.

MFC after:	3 days
This commit is contained in:
tuexen 2018-05-08 18:48:51 +00:00
parent 2d507e9195
commit af0c2859d5
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
sys/netinet/sctputil.c
View File

@ -2660,6 +2660,13 @@ sctp_notify_assoc_change(uint16_t state, struct sctp_tcb *stcb,
notif_len = (unsigned int)sizeof(struct sctp_assoc_change);
if (abort != NULL) {
abort_len = ntohs(abort->ch.chunk_length);
/*
* Only SCTP_CHUNK_BUFFER_SIZE are guaranteed to be
* contiguos.
*/
if (abort_len > SCTP_CHUNK_BUFFER_SIZE) {
abort_len = SCTP_CHUNK_BUFFER_SIZE;
}
} else {
abort_len = 0;
}
@ -3565,6 +3572,13 @@ sctp_notify_remote_error(struct sctp_tcb *stcb, uint16_t error, struct sctp_erro
}
if (chunk != NULL) {
chunk_len = ntohs(chunk->ch.chunk_length);
/*
* Only SCTP_CHUNK_BUFFER_SIZE are guaranteed to be
* contiguos.
*/
if (chunk_len > SCTP_CHUNK_BUFFER_SIZE) {
chunk_len = SCTP_CHUNK_BUFFER_SIZE;
}
} else {
chunk_len = 0;
}