Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 23 Jun 2017 10:09:49 +0000 (UTC)
From:      Michael Tuexen <tuexen@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r320264 - head/sys/netinet
Message-ID:  <201706231009.v5NA9noQ049468@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: tuexen
Date: Fri Jun 23 10:09:49 2017
New Revision: 320264
URL: https://svnweb.freebsd.org/changeset/base/320264

Log:
  Check the length of a COOKIE chunk before accessing fields in it.
  
  Thanks to Felix Weinrank for reporting the issue he found by using
  libFuzzer.
  
  MFC after:	3 days

Modified:
  head/sys/netinet/sctp_input.c

Modified: head/sys/netinet/sctp_input.c
==============================================================================
--- head/sys/netinet/sctp_input.c	Fri Jun 23 09:27:31 2017	(r320263)
+++ head/sys/netinet/sctp_input.c	Fri Jun 23 10:09:49 2017	(r320264)
@@ -2441,6 +2441,12 @@ sctp_handle_cookie_echo(struct mbuf *m, int iphlen, in
 	cookie_offset = offset + sizeof(struct sctp_chunkhdr);
 	cookie_len = ntohs(cp->ch.chunk_length);
 
+	if (cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
+	    sizeof(struct sctp_init_chunk) +
+	    sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
+		/* cookie too small */
+		return (NULL);
+	}
 	if ((cookie->peerport != sh->src_port) ||
 	    (cookie->myport != sh->dest_port) ||
 	    (cookie->my_vtag != sh->v_tag)) {
@@ -2451,12 +2457,6 @@ sctp_handle_cookie_echo(struct mbuf *m, int iphlen, in
 		 * This maintains the match even though it may be in the
 		 * opposite byte order of the machine :->
 		 */
-		return (NULL);
-	}
-	if (cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
-	    sizeof(struct sctp_init_chunk) +
-	    sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
-		/* cookie too small */
 		return (NULL);
 	}
 	/*



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201706231009.v5NA9noQ049468>