svn commit: r352005 - stable/12/sys/netinet

[Michael Tuexen]

Author: tuexen
Date: Sat Sep  7 12:13:58 2019
New Revision: 352005
URL: https://svnweb.freebsd.org/changeset/base/352005

Log:
  MFC r351638:
  
  Improve the handling of illegal sequence number combinations in received
  data chunks. Abort the association if there are data chunks with larger
  fragement sequence numbers than the fragement sequence of the last
  fragment.
  Thanks to Mark Wodrich from Google who found this issue by fuzz testing
  the userland stack and reporting this issue in
  https://github.com/sctplab/usrsctp/issues/355

Modified:
  stable/12/sys/netinet/sctp_indata.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/sys/netinet/sctp_indata.c
==============================================================================
--- stable/12/sys/netinet/sctp_indata.c	Sat Sep  7 12:03:13 2019	(r352004)
+++ stable/12/sys/netinet/sctp_indata.c	Sat Sep  7 12:13:58 2019	(r352005)
@@ -1479,6 +1479,16 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struc
 				    "The last fsn is now in place fsn: %u\n",
 				    chk->rec.data.fsn);
 				control->last_frag_seen = 1;
+				if (SCTP_TSN_GT(control->top_fsn, chk->rec.data.fsn)) {
+					SCTPDBG(SCTP_DEBUG_XXX,
+					    "New fsn: %u is not at top_fsn: %u -- abort\n",
+					    chk->rec.data.fsn,
+					    control->top_fsn);
+					sctp_abort_in_reasm(stcb, control, chk,
+					    abort_flag,
+					    SCTP_FROM_SCTP_INDATA + SCTP_LOC_9);
+					return;
+				}
 			}
 			if (asoc->idata_supported || control->first_frag_seen) {
 				/*
@@ -1494,7 +1504,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struc
 					 */
 					sctp_abort_in_reasm(stcb, control, chk,
 					    abort_flag,
-					    SCTP_FROM_SCTP_INDATA + SCTP_LOC_9);
+					    SCTP_FROM_SCTP_INDATA + SCTP_LOC_10);
 					return;
 				}
 			}
@@ -1506,7 +1516,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struc
 				    chk->rec.data.fsn, control->top_fsn);
 				sctp_abort_in_reasm(stcb, control,
 				    chk, abort_flag,
-				    SCTP_FROM_SCTP_INDATA + SCTP_LOC_10);
+				    SCTP_FROM_SCTP_INDATA + SCTP_LOC_11);
 				return;
 			}
 			if (asoc->idata_supported || control->first_frag_seen) {
@@ -1527,7 +1537,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struc
 					    chk->rec.data.fsn, control->fsn_included);
 					sctp_abort_in_reasm(stcb, control, chk,
 					    abort_flag,
-					    SCTP_FROM_SCTP_INDATA + SCTP_LOC_11);
+					    SCTP_FROM_SCTP_INDATA + SCTP_LOC_12);
 					return;
 				}
 			}
@@ -1542,7 +1552,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struc
 				    control->top_fsn);
 				sctp_abort_in_reasm(stcb, control, chk,
 				    abort_flag,
-				    SCTP_FROM_SCTP_INDATA + SCTP_LOC_12);
+				    SCTP_FROM_SCTP_INDATA + SCTP_LOC_13);
 				return;
 			}
 		}
@@ -1585,7 +1595,7 @@ sctp_queue_data_for_reasm(struct sctp_tcb *stcb, struc
 				    at->rec.data.fsn);
 				sctp_abort_in_reasm(stcb, control,
 				    chk, abort_flag,
-				    SCTP_FROM_SCTP_INDATA + SCTP_LOC_13);
+				    SCTP_FROM_SCTP_INDATA + SCTP_LOC_14);
 				return;
 			}
 		}