diff options
author | Michael Tuexen <tuexen@FreeBSD.org> | 2019-12-20 15:25:08 +0000 |
---|---|---|
committer | Michael Tuexen <tuexen@FreeBSD.org> | 2019-12-20 15:25:08 +0000 |
commit | 6088175a182d8052011b8cfcb792cc3092d43be8 (patch) | |
tree | 4e29995bd8563d5bccebb532a45235108f0d8cb9 | |
parent | 548dca90ae2fc3c0900c94a97e89aa97d6c36eae (diff) | |
download | src-6088175a182d8052011b8cfcb792cc3092d43be8.tar.gz src-6088175a182d8052011b8cfcb792cc3092d43be8.zip |
Improve input validation for some parameters having a too small
reported length.
Thanks to Natalie Silvanovich from Google for finding one of these
issues in the SCTP userland stack and reporting it.
MFC after: 1 week
Notes
Notes:
svn path=/head/; revision=355931
-rw-r--r-- | sys/netinet/sctp_auth.c | 3 | ||||
-rw-r--r-- | sys/netinet/sctp_pcb.c | 5 |
2 files changed, 6 insertions, 2 deletions
diff --git a/sys/netinet/sctp_auth.c b/sys/netinet/sctp_auth.c index f286ebf9d8d4..9712147dee76 100644 --- a/sys/netinet/sctp_auth.c +++ b/sys/netinet/sctp_auth.c @@ -1397,7 +1397,8 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m, ptype = ntohs(phdr->param_type); plen = ntohs(phdr->param_length); - if ((plen == 0) || (offset + plen > length)) + if ((plen < sizeof(struct sctp_paramhdr)) || + (offset + plen > length)) break; if (ptype == SCTP_RANDOM) { diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c index 18123416d3e5..32da85b5baee 100644 --- a/sys/netinet/sctp_pcb.c +++ b/sys/netinet/sctp_pcb.c @@ -6202,7 +6202,7 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m, if (offset + plen > limit) { break; } - if (plen == 0) { + if (plen < sizeof(struct sctp_paramhdr)) { break; } #ifdef INET @@ -6428,6 +6428,9 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m, if (plen > sizeof(lstore)) { return (-23); } + if (plen < sizeof(struct sctp_asconf_addrv4_param)) { + return (-101); + } phdr = sctp_get_next_param(m, offset, (struct sctp_paramhdr *)&lstore, plen); |