Date: Sun, 12 Oct 2014 17:39:37 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r273000 - stable/10/sys/netinet Message-ID: <201410121739.s9CHdbIP073492@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Sun Oct 12 17:39:37 2014 New Revision: 273000 URL: https://svnweb.freebsd.org/changeset/base/273000 Log: MFC r272750: Ensure that the number of stream reported in srs_number_streams is consistent with the amount of data provided in the SCTP_RESET_STREAMS socket option. Thanks to Peter Bostroem from Google for drawing my attention to this part of the code. Modified: stable/10/sys/netinet/sctp_usrreq.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/netinet/sctp_usrreq.c ============================================================================== --- stable/10/sys/netinet/sctp_usrreq.c Sun Oct 12 17:36:41 2014 (r272999) +++ stable/10/sys/netinet/sctp_usrreq.c Sun Oct 12 17:39:37 2014 (r273000) @@ -4431,6 +4431,12 @@ sctp_setopt(struct socket *so, int optna SCTP_TCB_UNLOCK(stcb); break; } + if (sizeof(struct sctp_reset_streams) + + strrst->srs_number_streams * sizeof(uint16_t) > optsize) { + error = EINVAL; + SCTP_TCB_UNLOCK(stcb); + break; + } if (stcb->asoc.stream_reset_outstanding) { SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EALREADY); error = EALREADY;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201410121739.s9CHdbIP073492>