diff options
author | Michael Tuexen <tuexen@FreeBSD.org> | 2020-12-23 17:03:47 +0000 |
---|---|---|
committer | Michael Tuexen <tuexen@FreeBSD.org> | 2020-12-23 17:03:47 +0000 |
commit | 0ec2ce0d32735e14708653ea08da055816f3f817 (patch) | |
tree | ed6352633f39ccac181c6c7a00d3a608ea726b36 | |
parent | 878d53410f75dbd9401def736562c906f8fecc33 (diff) | |
download | src-0ec2ce0d32735e14708653ea08da055816f3f817.tar.gz src-0ec2ce0d32735e14708653ea08da055816f3f817.zip |
Improve input validation for parameters in ASCONF and ASCONF-ACK chunks
Thanks to Tolya Korniltsev for drawing my attention to this part of the
code by reporting an issue for the userland stack.
-rw-r--r-- | sys/netinet/sctp_asconf.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/netinet/sctp_asconf.c b/sys/netinet/sctp_asconf.c index 3e425afef81a..c06ddf7b1f2e 100644 --- a/sys/netinet/sctp_asconf.c +++ b/sys/netinet/sctp_asconf.c @@ -723,7 +723,7 @@ sctp_handle_asconf(struct mbuf *m, unsigned int offset, sctp_m_freem(m_ack); return; } - if (param_length <= sizeof(struct sctp_paramhdr)) { + if (param_length < sizeof(struct sctp_asconf_paramhdr)) { SCTPDBG(SCTP_DEBUG_ASCONF1, "handle_asconf: param length (%u) too short\n", param_length); sctp_m_freem(m_ack); return; @@ -1743,7 +1743,7 @@ sctp_handle_asconf_ack(struct mbuf *m, int offset, sctp_asconf_ack_clear(stcb); return; } - if (param_length < sizeof(struct sctp_paramhdr)) { + if (param_length < sizeof(struct sctp_asconf_paramhdr)) { sctp_asconf_ack_clear(stcb); return; } |