Date: Thu, 31 May 2018 16:14:45 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r334441 - stable/11/sys/netinet Message-ID: <201805311614.w4VGEjTk076013@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Thu May 31 16:14:45 2018 New Revision: 334441 URL: https://svnweb.freebsd.org/changeset/base/334441 Log: MFC r333382: When reporting ERROR or ABORT chunks, don't use more data that is guaranteed to be contigous. Thanks to Felix Weinrank for finding and reporting this bug by fuzzing the usrsctp stack. MFC r333386: Fix two typos reported by N. J. Mann, which were introduced in https://svnweb.freebsd.org/changeset/base/333382 by me. Approved by: re@ (marius) Modified: stable/11/sys/netinet/sctputil.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netinet/sctputil.c ============================================================================== --- stable/11/sys/netinet/sctputil.c Thu May 31 16:10:44 2018 (r334440) +++ stable/11/sys/netinet/sctputil.c Thu May 31 16:14:45 2018 (r334441) @@ -2658,6 +2658,13 @@ sctp_notify_assoc_change(uint16_t state, struct sctp_t notif_len = (unsigned int)sizeof(struct sctp_assoc_change); if (abort != NULL) { abort_len = ntohs(abort->ch.chunk_length); + /* + * Only SCTP_CHUNK_BUFFER_SIZE are guaranteed to be + * contiguous. + */ + if (abort_len > SCTP_CHUNK_BUFFER_SIZE) { + abort_len = SCTP_CHUNK_BUFFER_SIZE; + } } else { abort_len = 0; } @@ -3562,6 +3569,13 @@ sctp_notify_remote_error(struct sctp_tcb *stcb, uint16 } if (chunk != NULL) { chunk_len = ntohs(chunk->ch.chunk_length); + /* + * Only SCTP_CHUNK_BUFFER_SIZE are guaranteed to be + * contiguous. + */ + if (chunk_len > SCTP_CHUNK_BUFFER_SIZE) { + chunk_len = SCTP_CHUNK_BUFFER_SIZE; + } } else { chunk_len = 0; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201805311614.w4VGEjTk076013>