Date: Sun, 23 Aug 2020 22:34:15 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r364577 - stable/12/sys/netinet Message-ID: <202008232234.07NMYFoc005272@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Sun Aug 23 22:34:15 2020 New Revision: 364577 URL: https://svnweb.freebsd.org/changeset/base/364577 Log: MFC r360193: Improve input validation when processing AUTH chunks. Thanks to Natalie Silvanovich from Google for finding and reporting the issue found by her in the SCTP userland stack. Modified: stable/12/sys/netinet/sctp_input.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/netinet/sctp_input.c ============================================================================== --- stable/12/sys/netinet/sctp_input.c Sun Aug 23 22:30:52 2020 (r364576) +++ stable/12/sys/netinet/sctp_input.c Sun Aug 23 22:34:15 2020 (r364577) @@ -2273,8 +2273,11 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in if (auth_skipped) { struct sctp_auth_chunk *auth; - auth = (struct sctp_auth_chunk *) - sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); + if (auth_len <= SCTP_PARAM_BUFFER_SIZE) { + auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf); + } else { + auth = NULL; + } if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) { /* auth HMAC failed, dump the assoc and packet */ SCTPDBG(SCTP_DEBUG_AUTH1,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202008232234.07NMYFoc005272>