Date: Sat, 2 Jun 2018 16:28:10 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r334532 - head/sys/netinet Message-ID: <201806021628.w52GSAec046924@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Sat Jun 2 16:28:10 2018 New Revision: 334532 URL: https://svnweb.freebsd.org/changeset/base/334532 Log: Don't overflow a buffer if we receive an INIT or INIT-ACK chunk without a RANDOM parameter but with a CHUNKS or HMAC-ALGO parameter. Please note that sending this combination violates the specification. Thnanks to Ronald E. Crane for reporting the issue for the userland stack. MFC after: 3 days Modified: head/sys/netinet/sctp_auth.c head/sys/netinet/sctp_pcb.c Modified: head/sys/netinet/sctp_auth.c ============================================================================== --- head/sys/netinet/sctp_auth.c Sat Jun 2 15:52:18 2018 (r334531) +++ head/sys/netinet/sctp_auth.c Sat Jun 2 16:28:10 2018 (r334532) @@ -1504,6 +1504,8 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, str if (p_random != NULL) { keylen = sizeof(*p_random) + random_len; memcpy(new_key->key, p_random, keylen); + } else { + keylen = 0; } /* append in the AUTH chunks */ if (chunks != NULL) { Modified: head/sys/netinet/sctp_pcb.c ============================================================================== --- head/sys/netinet/sctp_pcb.c Sat Jun 2 15:52:18 2018 (r334531) +++ head/sys/netinet/sctp_pcb.c Sat Jun 2 16:28:10 2018 (r334532) @@ -6704,6 +6704,8 @@ next_param: if (p_random != NULL) { keylen = sizeof(*p_random) + random_len; memcpy(new_key->key, p_random, keylen); + } else { + keylen = 0; } /* append in the AUTH chunks */ if (chunks != NULL) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201806021628.w52GSAec046924>