Author: tuexen
Date: Fri Jun 23 10:09:49 2017
New Revision: 320264
URL: https://svnweb.freebsd.org/changeset/base/320264
Log:
Check the length of a COOKIE chunk before accessing fields in it.
Thanks to Felix Weinrank for reporting the issue he found by using
libFuzzer.
MFC after: 3 days
Modified:
head/sys/netinet/sctp_input.c
Modified: head/sys/netinet/sctp_input.c
==============================================================================
--- head/sys/netinet/sctp_input.c Fri Jun 23 09:27:31 2017
(r320263)
+++ head/sys/netinet/sctp_input.c Fri Jun 23 10:09:49 2017
(r320264)
@@ -2441,6 +2441,12 @@ sctp_handle_cookie_echo(struct mbuf *m, int iphlen, in
cookie_offset = offset + sizeof(struct sctp_chunkhdr);
cookie_len = ntohs(cp->ch.chunk_length);
+ if (cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
+ sizeof(struct sctp_init_chunk) +
+ sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
+ /* cookie too small */
+ return (NULL);
+ }
if ((cookie->peerport != sh->src_port) ||
(cookie->myport != sh->dest_port) ||
(cookie->my_vtag != sh->v_tag)) {
@@ -2451,12 +2457,6 @@ sctp_handle_cookie_echo(struct mbuf *m, int iphlen, in
* This maintains the match even though it may be in the
* opposite byte order of the machine :->
*/
- return (NULL);
- }
- if (cookie_len < sizeof(struct sctp_cookie_echo_chunk) +
- sizeof(struct sctp_init_chunk) +
- sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) {
- /* cookie too small */
return (NULL);
}
/*
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
