Date: Thu, 7 May 2020 03:44:35 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r360770 - stable/11/sys/netinet Message-ID: <202005070344.0473iZpK045431@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Thu May 7 03:44:35 2020 New Revision: 360770 URL: https://svnweb.freebsd.org/changeset/base/360770 Log: MFC r360193, r360209: Improve input validation ofor AUTH chunks Improve input validation when processing AUTH chunks. Thanks to Natalie Silvanovich from Google for finding and reporting the issue found by her in the SCTP userland stack. Modified: stable/11/sys/netinet/sctp_input.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netinet/sctp_input.c ============================================================================== --- stable/11/sys/netinet/sctp_input.c Thu May 7 03:37:22 2020 (r360769) +++ stable/11/sys/netinet/sctp_input.c Thu May 7 03:44:35 2020 (r360770) @@ -2098,7 +2098,7 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in int init_offset, initack_offset, initack_limit; int retval; int error = 0; - uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE]; + uint8_t auth_chunk_buf[SCTP_CHUNK_BUFFER_SIZE]; #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) struct socket *so; @@ -2277,8 +2277,11 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in if (auth_skipped) { struct sctp_auth_chunk *auth; - auth = (struct sctp_auth_chunk *) - sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); + if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) { + auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); + } else { + auth = NULL; + } if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) { /* auth HMAC failed, dump the assoc and packet */ SCTPDBG(SCTP_DEBUG_AUTH1, @@ -4671,11 +4674,13 @@ sctp_process_control(struct mbuf *m, int iphlen, int * if (auth_skipped && (stcb != NULL)) { struct sctp_auth_chunk *auth; - auth = (struct sctp_auth_chunk *) - sctp_m_getptr(m, auth_offset, - auth_len, chunk_buf); - got_auth = 1; - auth_skipped = 0; + if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) { + auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, chunk_buf); + got_auth = 1; + auth_skipped = 0; + } else { + auth = NULL; + } if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) { /* auth HMAC failed so dump it */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202005070344.0473iZpK045431>