Date: Wed, 1 Feb 2023 22:28:49 GMT From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: a8ac188a425a - stable/13 - sctp: ensure that ASCONF chunks are not too large Message-ID: <202302012228.311MSneL072357@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by tuexen: URL: https://cgit.FreeBSD.org/src/commit/?id=a8ac188a425aaab990477c72e1b8c59fb7b6bf69 commit a8ac188a425aaab990477c72e1b8c59fb7b6bf69 Author: Michael Tuexen <tuexen@FreeBSD.org> AuthorDate: 2022-03-29 23:22:20 +0000 Commit: Michael Tuexen <tuexen@FreeBSD.org> CommitDate: 2023-02-01 22:28:28 +0000 sctp: ensure that ASCONF chunks are not too large (cherry picked from commit 218e463b85c4b78af93583cfc3d95a1cab8408bf) --- sys/netinet/sctp_asconf.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/sys/netinet/sctp_asconf.c b/sys/netinet/sctp_asconf.c index 411440468856..a4457471410e 100644 --- a/sys/netinet/sctp_asconf.c +++ b/sys/netinet/sctp_asconf.c @@ -2561,7 +2561,7 @@ sctp_compose_asconf(struct sctp_tcb *stcb, int *retlen, int addr_locked) struct sctp_asconf_chunk *acp; struct sctp_asconf_paramhdr *aph; struct sctp_asconf_addr_param *aap; - uint32_t p_length; + uint32_t p_length, overhead; uint32_t correlation_id = 1; /* 0 is reserved... */ caddr_t ptr, lookup_ptr; uint8_t lookup_used = 0; @@ -2574,6 +2574,20 @@ sctp_compose_asconf(struct sctp_tcb *stcb, int *retlen, int addr_locked) if (aa == NULL) return (NULL); + /* Consider IP header and SCTP common header. */ + if (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_BOUND_V6) { + overhead = SCTP_MIN_OVERHEAD; + } else { + overhead = SCTP_MIN_V4_OVERHEAD; + } + /* Consider ASONF chunk. */ + overhead += sizeof(struct sctp_asconf_chunk); + /* Consider AUTH chunk. */ + overhead += sctp_get_auth_chunk_len(stcb->asoc.peer_hmac_id); + if (stcb->asoc.smallest_mtu <= overhead) { + /* MTU too small. */ + return (NULL); + } /* * get a chunk header mbuf and a cluster for the asconf params since * it's simpler to fill in the asconf chunk header lookup address on @@ -2615,7 +2629,7 @@ sctp_compose_asconf(struct sctp_tcb *stcb, int *retlen, int addr_locked) /* get the parameter length */ p_length = SCTP_SIZE32(aa->ap.aph.ph.param_length); /* will it fit in current chunk? */ - if ((SCTP_BUF_LEN(m_asconf) + p_length > stcb->asoc.smallest_mtu) || + if ((SCTP_BUF_LEN(m_asconf) + p_length > stcb->asoc.smallest_mtu - overhead) || (SCTP_BUF_LEN(m_asconf) + p_length > MCLBYTES)) { /* won't fit, so we're done with this chunk */ break;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202302012228.311MSneL072357>