From owner-svn-src-all@freebsd.org Thu May 7 03:44:36 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 225C52EB4AF; Thu, 7 May 2020 03:44:36 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49HfTw03mfz4l2L; Thu, 7 May 2020 03:44:36 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id F16F0A8A7; Thu, 7 May 2020 03:44:35 +0000 (UTC) (envelope-from tuexen@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0473iZfY045432; Thu, 7 May 2020 03:44:35 GMT (envelope-from tuexen@FreeBSD.org) Received: (from tuexen@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0473iZpK045431; Thu, 7 May 2020 03:44:35 GMT (envelope-from tuexen@FreeBSD.org) Message-Id: <202005070344.0473iZpK045431@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: tuexen set sender to tuexen@FreeBSD.org using -f From: Michael Tuexen Date: Thu, 7 May 2020 03:44:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r360770 - stable/11/sys/netinet X-SVN-Group: stable-11 X-SVN-Commit-Author: tuexen X-SVN-Commit-Paths: stable/11/sys/netinet X-SVN-Commit-Revision: 360770 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 May 2020 03:44:36 -0000 Author: tuexen Date: Thu May 7 03:44:35 2020 New Revision: 360770 URL: https://svnweb.freebsd.org/changeset/base/360770 Log: MFC r360193, r360209: Improve input validation ofor AUTH chunks Improve input validation when processing AUTH chunks. Thanks to Natalie Silvanovich from Google for finding and reporting the issue found by her in the SCTP userland stack. Modified: stable/11/sys/netinet/sctp_input.c Directory Properties: stable/11/ (props changed) Modified: stable/11/sys/netinet/sctp_input.c ============================================================================== --- stable/11/sys/netinet/sctp_input.c Thu May 7 03:37:22 2020 (r360769) +++ stable/11/sys/netinet/sctp_input.c Thu May 7 03:44:35 2020 (r360770) @@ -2098,7 +2098,7 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in int init_offset, initack_offset, initack_limit; int retval; int error = 0; - uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE]; + uint8_t auth_chunk_buf[SCTP_CHUNK_BUFFER_SIZE]; #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) struct socket *so; @@ -2277,8 +2277,11 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in if (auth_skipped) { struct sctp_auth_chunk *auth; - auth = (struct sctp_auth_chunk *) - sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); + if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) { + auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); + } else { + auth = NULL; + } if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) { /* auth HMAC failed, dump the assoc and packet */ SCTPDBG(SCTP_DEBUG_AUTH1, @@ -4671,11 +4674,13 @@ sctp_process_control(struct mbuf *m, int iphlen, int * if (auth_skipped && (stcb != NULL)) { struct sctp_auth_chunk *auth; - auth = (struct sctp_auth_chunk *) - sctp_m_getptr(m, auth_offset, - auth_len, chunk_buf); - got_auth = 1; - auth_skipped = 0; + if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) { + auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, chunk_buf); + got_auth = 1; + auth_skipped = 0; + } else { + auth = NULL; + } if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) { /* auth HMAC failed so dump it */