sctp: improve handling of illegal packets containing INIT chunks
Stop further processing of a packet when detecting that it contains an INIT chunk, which is too small or is not the only chunk in the packet. Still allow to finish the processing of chunks before the INIT chunk. Thanks to Antoly Korniltsev and Taylor Brandstetter for reporting an issue with the userland stack, which made me aware of this issue. MFC after: 3 days
This commit is contained in:
parent
9f1dc86c46
commit
c70d1ef15d
@ -4611,10 +4611,7 @@ sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length,
|
|||||||
chunk_buf);
|
chunk_buf);
|
||||||
if (ch == NULL) {
|
if (ch == NULL) {
|
||||||
*offset = length;
|
*offset = length;
|
||||||
if (stcb != NULL) {
|
return (stcb);
|
||||||
SCTP_TCB_UNLOCK(stcb);
|
|
||||||
}
|
|
||||||
return (NULL);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
num_chunks++;
|
num_chunks++;
|
||||||
@ -4648,12 +4645,12 @@ sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length,
|
|||||||
/* The INIT chunk must be the only chunk. */
|
/* The INIT chunk must be the only chunk. */
|
||||||
if ((num_chunks > 1) ||
|
if ((num_chunks > 1) ||
|
||||||
(length - *offset > (int)SCTP_SIZE32(chk_length))) {
|
(length - *offset > (int)SCTP_SIZE32(chk_length))) {
|
||||||
/* RFC 4960 requires that no ABORT is sent */
|
/*
|
||||||
|
* RFC 4960bis requires stopping the
|
||||||
|
* processing of the packet.
|
||||||
|
*/
|
||||||
*offset = length;
|
*offset = length;
|
||||||
if (stcb != NULL) {
|
return (stcb);
|
||||||
SCTP_TCB_UNLOCK(stcb);
|
|
||||||
}
|
|
||||||
return (NULL);
|
|
||||||
}
|
}
|
||||||
/* Honor our resource limit. */
|
/* Honor our resource limit. */
|
||||||
if (chk_length > SCTP_LARGEST_INIT_ACCEPTED) {
|
if (chk_length > SCTP_LARGEST_INIT_ACCEPTED) {
|
||||||
|
Loading…
Reference in New Issue
Block a user