mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2025-01-07 13:14:51 +00:00
Code Issues Releases Activity

When reporting ERROR or ABORT chunks, don't use more data

Browse Source 
that is guaranteed to be contigous.
Thanks to Felix Weinrank for finding and reporting this bug
by fuzzing the usrsctp stack.

MFC after:	3 days
This commit is contained in:
Michael Tuexen 2018-05-08 18:48:51 +00:00
parent 12f409ff75
commit 9669e724d1
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=333382
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
sys/netinet/sctputil.c
View File

@ -2660,6 +2660,13 @@ sctp_notify_assoc_change(uint16_t state, struct sctp_tcb *stcb,
notif_len = (unsigned int)sizeof(struct sctp_assoc_change);
if (abort != NULL) {
abort_len = ntohs(abort->ch.chunk_length);
/*
* Only SCTP_CHUNK_BUFFER_SIZE are guaranteed to be
* contiguos.
*/
if (abort_len > SCTP_CHUNK_BUFFER_SIZE) {
abort_len = SCTP_CHUNK_BUFFER_SIZE;
}
} else {
abort_len = 0;
}
@ -3565,6 +3572,13 @@ sctp_notify_remote_error(struct sctp_tcb *stcb, uint16_t error, struct sctp_erro
}
if (chunk != NULL) {
chunk_len = ntohs(chunk->ch.chunk_length);
/*
* Only SCTP_CHUNK_BUFFER_SIZE are guaranteed to be
* contiguos.
*/
if (chunk_len > SCTP_CHUNK_BUFFER_SIZE) {
chunk_len = SCTP_CHUNK_BUFFER_SIZE;
}
} else {
chunk_len = 0;
}