Date: Wed, 8 Oct 2014 15:29:50 +0000 (UTC) From: Michael Tuexen <tuexen@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r272750 - head/sys/netinet Message-ID: <201410081529.s98FToxK047954@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tuexen Date: Wed Oct 8 15:29:49 2014 New Revision: 272750 URL: https://svnweb.freebsd.org/changeset/base/272750 Log: Ensure that the number of stream reported in srs_number_streams is consistent with the amount of data provided in the SCTP_RESET_STREAMS socket option. Thanks to Peter Bostroem from Google for drawing my attention to this part of the code. Modified: head/sys/netinet/sctp_usrreq.c Modified: head/sys/netinet/sctp_usrreq.c ============================================================================== --- head/sys/netinet/sctp_usrreq.c Wed Oct 8 12:33:31 2014 (r272749) +++ head/sys/netinet/sctp_usrreq.c Wed Oct 8 15:29:49 2014 (r272750) @@ -4431,6 +4431,12 @@ sctp_setopt(struct socket *so, int optna SCTP_TCB_UNLOCK(stcb); break; } + if (sizeof(struct sctp_reset_streams) + + strrst->srs_number_streams * sizeof(uint16_t) > optsize) { + error = EINVAL; + SCTP_TCB_UNLOCK(stcb); + break; + } if (stcb->asoc.stream_reset_outstanding) { SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EALREADY); error = EALREADY;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201410081529.s98FToxK047954>