svn commit: r368622 - head/sys/netinet

Sun, 13 Dec 2020 15:51:58 -0800 

Author: tuexen
Date: Sun Dec 13 23:51:51 2020
New Revision: 368622
URL: https://svnweb.freebsd.org/changeset/base/368622

Log:
  Harden the handling of outgoing streams in case of an restart or INIT
  collision. This avouds an out-of-bounce access in case the peer can
  break the cookie signature. Thanks to Felix Wilhelm from Google for
  reporting the issue.
  
  MFC after:            1 week

Modified:
  head/sys/netinet/sctp_input.c

Modified: head/sys/netinet/sctp_input.c
==============================================================================
--- head/sys/netinet/sctp_input.c       Sun Dec 13 23:32:50 2020        
(r368621)
+++ head/sys/netinet/sctp_input.c       Sun Dec 13 23:51:51 2020        
(r368622)
@@ -1699,7 +1699,9 @@ sctp_process_cookie_existing(struct mbuf *m, int iphle
                            NULL);
                }
                asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
-               asoc->pre_open_streams = 
ntohs(initack_cp->init.num_outbound_streams);
+               if (asoc->pre_open_streams < asoc->streamoutcnt) {
+                       asoc->pre_open_streams = asoc->streamoutcnt;
+               }
 
                if (ntohl(init_cp->init.initiate_tag) != asoc->peer_vtag) {
                        /*
@@ -1831,7 +1833,9 @@ sctp_process_cookie_existing(struct mbuf *m, int iphle
                        /* move to OPEN state, if not in SHUTDOWN_SENT */
                        SCTP_SET_STATE(stcb, SCTP_STATE_OPEN);
                }
-               asoc->pre_open_streams = 
ntohs(initack_cp->init.num_outbound_streams);
+               if (asoc->pre_open_streams < asoc->streamoutcnt) {
+                       asoc->pre_open_streams = asoc->streamoutcnt;
+               }
                asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
                asoc->sending_seq = asoc->asconf_seq_out = 
asoc->str_reset_seq_out = asoc->init_seq_number;
                asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;
@@ -2108,7 +2112,6 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, in
        /* process the INIT-ACK info (my info) */
        asoc->my_vtag = ntohl(initack_cp->init.initiate_tag);
        asoc->my_rwnd = ntohl(initack_cp->init.a_rwnd);
-       asoc->pre_open_streams = ntohs(initack_cp->init.num_outbound_streams);
        asoc->init_seq_number = ntohl(initack_cp->init.initial_tsn);
        asoc->sending_seq = asoc->asconf_seq_out = asoc->str_reset_seq_out = 
asoc->init_seq_number;
        asoc->asconf_seq_out_acked = asoc->asconf_seq_out - 1;
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to