Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 26 Apr 2021 20:27:09 GMT
From:      Michael Tuexen <tuexen@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: c70d1ef15db0 - main - sctp: improve handling of illegal packets containing INIT chunks
Message-ID:  <202104262027.13QKR9DU086108@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by tuexen:

URL: https://cgit.FreeBSD.org/src/commit/?id=c70d1ef15db0d994eff4a2c4d9feabdc46bff1c6

commit c70d1ef15db0d994eff4a2c4d9feabdc46bff1c6
Author:     Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2021-04-26 08:38:05 +0000
Commit:     Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2021-04-26 08:43:58 +0000

    sctp: improve handling of illegal packets containing INIT chunks
    
    Stop further processing of a packet when detecting that it
    contains an INIT chunk, which is too small or is not the only
    chunk in the packet. Still allow to finish the processing
    of chunks before the INIT chunk.
    
    Thanks to Antoly Korniltsev and Taylor Brandstetter for reporting
    an issue with the userland stack, which made me aware of this
    issue.
    
    MFC after:      3 days
---
 sys/netinet/sctp_input.c | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c
index 5b4c3152da0d..c70358f0af07 100644
--- a/sys/netinet/sctp_input.c
+++ b/sys/netinet/sctp_input.c
@@ -4611,10 +4611,7 @@ process_control_chunks:
 		    chunk_buf);
 		if (ch == NULL) {
 			*offset = length;
-			if (stcb != NULL) {
-				SCTP_TCB_UNLOCK(stcb);
-			}
-			return (NULL);
+			return (stcb);
 		}
 
 		num_chunks++;
@@ -4648,12 +4645,12 @@ process_control_chunks:
 			/* The INIT chunk must be the only chunk. */
 			if ((num_chunks > 1) ||
 			    (length - *offset > (int)SCTP_SIZE32(chk_length))) {
-				/* RFC 4960 requires that no ABORT is sent */
+				/*
+				 * RFC 4960bis requires stopping the
+				 * processing of the packet.
+				 */
 				*offset = length;
-				if (stcb != NULL) {
-					SCTP_TCB_UNLOCK(stcb);
-				}
-				return (NULL);
+				return (stcb);
 			}
 			/* Honor our resource limit. */
 			if (chk_length > SCTP_LARGEST_INIT_ACCEPTED) {

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202104262027.13QKR9DU086108>