1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-14 10:09:48 +00:00

Limit the size of messages sent on 1-to-many style SCTP sockets with the

SCTP_SENDALL flag. Allow also only one operation per SCTP endpoint.

This fixes an issue found by running syzkaller and is joint work with rrs@.

MFC after:		1 week
This commit is contained in:
Michael Tuexen 2019-03-23 22:56:03 +00:00
parent 2ef5bd2f0c
commit 7de4780412
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=345461
2 changed files with 15 additions and 0 deletions

View File

@ -491,6 +491,7 @@ struct sctp_error_auth_invalid_hmac {
* time */
#define SCTP_SAT_NETWORK_BURST_INCR 2 /* how many times to multiply maxburst
* in sat */
#define SCTP_MAX_SENDALL_LIMIT 1024
/* Data Chuck Specific Flags */
#define SCTP_DATA_FRAG_MASK 0x03
@ -516,6 +517,7 @@ struct sctp_error_auth_invalid_hmac {
#define SCTP_PCB_FLAGS_BOUNDALL 0x00000004
#define SCTP_PCB_FLAGS_ACCEPTING 0x00000008
#define SCTP_PCB_FLAGS_UNBOUND 0x00000010
#define SCTP_PCB_FLAGS_SND_ITERATOR_UP 0x00000020
#define SCTP_PCB_FLAGS_CLOSE_IP 0x00040000
#define SCTP_PCB_FLAGS_WAS_CONNECTED 0x00080000
#define SCTP_PCB_FLAGS_WAS_ABORTED 0x00100000

View File

@ -6804,6 +6804,10 @@ sctp_sendall_completes(void *ptr, uint32_t val SCTP_UNUSED)
*/
/* now free everything */
if (ca->inp) {
/* Lets clear the flag to allow others to run. */
ca->inp->sctp_flags &= ~SCTP_PCB_FLAGS_SND_ITERATOR_UP;
}
sctp_m_freem(ca->m);
SCTP_FREE(ca, SCTP_M_COPYAL);
}
@ -6857,6 +6861,14 @@ sctp_sendall(struct sctp_inpcb *inp, struct uio *uio, struct mbuf *m,
int ret;
struct sctp_copy_all *ca;
if (inp->sctp_flags & SCTP_PCB_FLAGS_SND_ITERATOR_UP) {
/* There is another. */
return (EBUSY);
}
if (uio->uio_resid > SCTP_MAX_SENDALL_LIMIT) {
/* You must be less than the max! */
return (EMSGSIZE);
}
SCTP_MALLOC(ca, struct sctp_copy_all *, sizeof(struct sctp_copy_all),
SCTP_M_COPYAL);
if (ca == NULL) {
@ -6893,6 +6905,7 @@ sctp_sendall(struct sctp_inpcb *inp, struct uio *uio, struct mbuf *m,
ca->sndlen += SCTP_BUF_LEN(mat);
}
}
inp->sctp_flags |= SCTP_PCB_FLAGS_SND_ITERATOR_UP;
ret = sctp_initiate_iterator(NULL, sctp_sendall_iterator, NULL,
SCTP_PCB_ANY_FLAGS, SCTP_PCB_ANY_FEATURES,
SCTP_ASOC_ANY_STATE,