git: 0ec2ce0d3273 - Improve input validation for parameters in ASCONF and ASCONF-ACK chunks
Michael Tuexen
tuexen at FreeBSD.org
Wed Dec 23 17:05:52 UTC 2020
The branch main has been updated by tuexen:
URL: https://cgit.FreeBSD.org/src/commit/?id=0ec2ce0d32735e14708653ea08da055816f3f817
commit 0ec2ce0d32735e14708653ea08da055816f3f817
Author: Michael Tuexen <tuexen at FreeBSD.org>
AuthorDate: 2020-12-23 17:03:47 +0000
Commit: Michael Tuexen <tuexen at FreeBSD.org>
CommitDate: 2020-12-23 17:03:47 +0000
Improve input validation for parameters in ASCONF and ASCONF-ACK chunks
Thanks to Tolya Korniltsev for drawing my attention to this part of the
code by reporting an issue for the userland stack.
---
sys/netinet/sctp_asconf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sys/netinet/sctp_asconf.c b/sys/netinet/sctp_asconf.c
index 3e425afef81a..c06ddf7b1f2e 100644
--- a/sys/netinet/sctp_asconf.c
+++ b/sys/netinet/sctp_asconf.c
@@ -723,7 +723,7 @@ sctp_handle_asconf(struct mbuf *m, unsigned int offset,
sctp_m_freem(m_ack);
return;
}
- if (param_length <= sizeof(struct sctp_paramhdr)) {
+ if (param_length < sizeof(struct sctp_asconf_paramhdr)) {
SCTPDBG(SCTP_DEBUG_ASCONF1, "handle_asconf: param length (%u) too short\n", param_length);
sctp_m_freem(m_ack);
return;
@@ -1743,7 +1743,7 @@ sctp_handle_asconf_ack(struct mbuf *m, int offset,
sctp_asconf_ack_clear(stcb);
return;
}
- if (param_length < sizeof(struct sctp_paramhdr)) {
+ if (param_length < sizeof(struct sctp_asconf_paramhdr)) {
sctp_asconf_ack_clear(stcb);
return;
}
More information about the dev-commits-src-main
mailing list