Author: tuexen
Date: Tue May 8 18:48:51 2018
New Revision: 333382
URL: https://svnweb.freebsd.org/changeset/base/333382
Log:
When reporting ERROR or ABORT chunks, don't use more data
that is guaranteed to be contigous.
Thanks to Felix Weinrank for finding and reporting this bug
by fuzzing the usrsctp stack.
MFC after: 3 days
Modified:
head/sys/netinet/sctputil.c
Modified: head/sys/netinet/sctputil.c
==============================================================================
--- head/sys/netinet/sctputil.c Tue May 8 18:25:37 2018 (r333381)
+++ head/sys/netinet/sctputil.c Tue May 8 18:48:51 2018 (r333382)
@@ -2660,6 +2660,13 @@ sctp_notify_assoc_change(uint16_t state, struct sctp_t
notif_len = (unsigned int)sizeof(struct sctp_assoc_change);
if (abort != NULL) {
abort_len = ntohs(abort->ch.chunk_length);
+ /*
+ * Only SCTP_CHUNK_BUFFER_SIZE are guaranteed to be
+ * contiguos.
+ */
+ if (abort_len > SCTP_CHUNK_BUFFER_SIZE) {
+ abort_len = SCTP_CHUNK_BUFFER_SIZE;
+ }
} else {
abort_len = 0;
}
@@ -3565,6 +3572,13 @@ sctp_notify_remote_error(struct sctp_tcb *stcb, uint16
}
if (chunk != NULL) {
chunk_len = ntohs(chunk->ch.chunk_length);
+ /*
+ * Only SCTP_CHUNK_BUFFER_SIZE are guaranteed to be
+ * contiguos.
+ */
+ if (chunk_len > SCTP_CHUNK_BUFFER_SIZE) {
+ chunk_len = SCTP_CHUNK_BUFFER_SIZE;
+ }
} else {
chunk_len = 0;
}
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
