Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 23 Dec 2020 17:05:52 GMT
From:      Michael Tuexen <tuexen@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: 0ec2ce0d3273 - Improve input validation for parameters in ASCONF and ASCONF-ACK chunks
Message-ID:  <202012231705.0BNH5qwb012921@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=0ec2ce0d32735e14708653ea08da055816f3f817

commit 0ec2ce0d32735e14708653ea08da055816f3f817
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2020-12-23 17:03:47 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2020-12-23 17:03:47 +0000

    Improve input validation for parameters in ASCONF and ASCONF-ACK chunks
    
    Thanks to Tolya Korniltsev for drawing my attention to this part of the
    code by reporting an issue for the userland stack.
---
 sys/netinet/sctp_asconf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/netinet/sctp_asconf.c b/sys/netinet/sctp_asconf.c
index 3e425afef81a..c06ddf7b1f2e 100644
--- a/sys/netinet/sctp_asconf.c
+++ b/sys/netinet/sctp_asconf.c
@@ -723,7 +723,7 @@ sctp_handle_asconf(struct mbuf *m, unsigned int offset,
 			sctp_m_freem(m_ack);
 			return;
 		}
-		if (param_length <= sizeof(struct sctp_paramhdr)) {
+		if (param_length < sizeof(struct sctp_asconf_paramhdr)) {
 			SCTPDBG(SCTP_DEBUG_ASCONF1, "handle_asconf: param length (%u) too short\n", param_length);
 			sctp_m_freem(m_ack);
 			return;
@@ -1743,7 +1743,7 @@ sctp_handle_asconf_ack(struct mbuf *m, int offset,
 			sctp_asconf_ack_clear(stcb);
 			return;
 		}
-		if (param_length < sizeof(struct sctp_paramhdr)) {
+		if (param_length < sizeof(struct sctp_asconf_paramhdr)) {
 			sctp_asconf_ack_clear(stcb);
 			return;
 		}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202012231705.0BNH5qwb012921>