Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 6 Jun 2018 22:34:20 +0000 (UTC)
From:      Michael Tuexen <tuexen@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org
Subject:   svn commit: r334743 - releng/11.2/sys/netinet
Message-ID:  <201806062234.w56MYK5m087130@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: tuexen
Date: Wed Jun  6 22:34:20 2018
New Revision: 334743
URL: https://svnweb.freebsd.org/changeset/base/334743

Log:
  MFstable/11 334732:
  
  Don't overflow a buffer if we receive an INIT or INIT-ACK chunk
  without a RANDOM parameter but with a CHUNKS or HMAC-ALGO parameter.
  Please note that sending this combination violates the specification.
  
  Thanks to Ronald E. Crane for reporting the issue for the userland
  stack.
  
  Approved by:	re (gjb@)

Modified:
  releng/11.2/sys/netinet/sctp_auth.c
  releng/11.2/sys/netinet/sctp_pcb.c
Directory Properties:
  releng/11.2/   (props changed)

Modified: releng/11.2/sys/netinet/sctp_auth.c
==============================================================================
--- releng/11.2/sys/netinet/sctp_auth.c	Wed Jun  6 22:29:21 2018	(r334742)
+++ releng/11.2/sys/netinet/sctp_auth.c	Wed Jun  6 22:34:20 2018	(r334743)
@@ -1502,6 +1502,8 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, str
 		if (p_random != NULL) {
 			keylen = sizeof(*p_random) + random_len;
 			memcpy(new_key->key, p_random, keylen);
+		} else {
+			keylen = 0;
 		}
 		/* append in the AUTH chunks */
 		if (chunks != NULL) {

Modified: releng/11.2/sys/netinet/sctp_pcb.c
==============================================================================
--- releng/11.2/sys/netinet/sctp_pcb.c	Wed Jun  6 22:29:21 2018	(r334742)
+++ releng/11.2/sys/netinet/sctp_pcb.c	Wed Jun  6 22:34:20 2018	(r334743)
@@ -6702,6 +6702,8 @@ next_param:
 		if (p_random != NULL) {
 			keylen = sizeof(*p_random) + random_len;
 			memcpy(new_key->key, p_random, keylen);
+		} else {
+			keylen = 0;
 		}
 		/* append in the AUTH chunks */
 		if (chunks != NULL) {

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201806062234.w56MYK5m087130>