Date: Thu, 7 May 2020 01:07:47 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r360729 - stable/11/sys/netinet Message-ID: <202005070107.04717lMx042118@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Thu May 7 01:07:47 2020 New Revision: 360729 URL: https://svnweb.freebsd.org/changeset/base/360729 Log: MFC r351638: Improve handling DATA chunks. Improve the handling of illegal sequence number combinations in received data chunks. Abort the association if there are data chunks with larger fragement sequence numbers than the fragement sequence of the last fragment. Thanks to Mark Wodrich from Google who found this issue by fuzz testing the userland stack and reporting this issue in https://github.com/sctplab/usrsctp/issues/355 Modified: stable/11/sys/netinet/sctp_indata.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netinet/sctp_indata.c ============================================================================== --- stable/11/sys/netinet/sctp_indata.c Thu May 7 00:56:24 2020 (r360728) +++ stable/11/sys/netinet/sctp_indata.c Thu May 7 01:07:47 2020 (r360729) @@ -1477,6 +1477,16 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struc "The last fsn is now in place fsn: %u\n", chk->rec.data.fsn); control->last_frag_seen = 1; + if (SCTP_TSN_GT(control->top_fsn, chk->rec.data.fsn)) { + SCTPDBG(SCTP_DEBUG_XXX, + "New fsn: %u is not at top_fsn: %u -- abort\n", + chk->rec.data.fsn, + control->top_fsn); + sctp_abort_in_reasm(stcb, control, chk, + abort_flag, + SCTP_FROM_SCTP_INDATA + SCTP_LOC_9); + return; + } } if (asoc->idata_supported || control->first_frag_seen) { /* @@ -1492,7 +1502,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struc */ sctp_abort_in_reasm(stcb, control, chk, abort_flag, - SCTP_FROM_SCTP_INDATA + SCTP_LOC_9); + SCTP_FROM_SCTP_INDATA + SCTP_LOC_10); return; } } @@ -1504,7 +1514,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struc chk->rec.data.fsn, control->top_fsn); sctp_abort_in_reasm(stcb, control, chk, abort_flag, - SCTP_FROM_SCTP_INDATA + SCTP_LOC_10); + SCTP_FROM_SCTP_INDATA + SCTP_LOC_11); return; } if (asoc->idata_supported || control->first_frag_seen) { @@ -1525,7 +1535,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struc chk->rec.data.fsn, control->fsn_included); sctp_abort_in_reasm(stcb, control, chk, abort_flag, - SCTP_FROM_SCTP_INDATA + SCTP_LOC_11); + SCTP_FROM_SCTP_INDATA + SCTP_LOC_12); return; } } @@ -1540,7 +1550,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struc control->top_fsn); sctp_abort_in_reasm(stcb, control, chk, abort_flag, - SCTP_FROM_SCTP_INDATA + SCTP_LOC_12); + SCTP_FROM_SCTP_INDATA + SCTP_LOC_13); return; } } @@ -1583,7 +1593,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struc at->rec.data.fsn); sctp_abort_in_reasm(stcb, control, chk, abort_flag, - SCTP_FROM_SCTP_INDATA + SCTP_LOC_13); + SCTP_FROM_SCTP_INDATA + SCTP_LOC_14); return; } }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202005070107.04717lMx042118>