diff options
author | Michael Tuexen <tuexen@FreeBSD.org> | 2018-06-02 16:28:10 +0000 |
---|---|---|
committer | Michael Tuexen <tuexen@FreeBSD.org> | 2018-06-02 16:28:10 +0000 |
commit | 13500cbb61cc2984494d78633b311ecc2dec4e1c (patch) | |
tree | a94e30cd20ed86713d905f0940eaec2c7c1e81da | |
parent | 51b29cb7b3fb7f21c844d707fd6e3ebe86e8d347 (diff) | |
download | src-13500cbb61cc2984494d78633b311ecc2dec4e1c.tar.gz src-13500cbb61cc2984494d78633b311ecc2dec4e1c.zip |
Don't overflow a buffer if we receive an INIT or INIT-ACK chunk
without a RANDOM parameter but with a CHUNKS or HMAC-ALGO parameter.
Please note that sending this combination violates the specification.
Thnanks to Ronald E. Crane for reporting the issue for the userland
stack.
MFC after: 3 days
Notes
Notes:
svn path=/head/; revision=334532
-rw-r--r-- | sys/netinet/sctp_auth.c | 2 | ||||
-rw-r--r-- | sys/netinet/sctp_pcb.c | 2 |
2 files changed, 4 insertions, 0 deletions
diff --git a/sys/netinet/sctp_auth.c b/sys/netinet/sctp_auth.c index 9ba52c94d727..c562bb7e17b6 100644 --- a/sys/netinet/sctp_auth.c +++ b/sys/netinet/sctp_auth.c @@ -1504,6 +1504,8 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m, if (p_random != NULL) { keylen = sizeof(*p_random) + random_len; memcpy(new_key->key, p_random, keylen); + } else { + keylen = 0; } /* append in the AUTH chunks */ if (chunks != NULL) { diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c index b13f2c980718..efe31a4f53b8 100644 --- a/sys/netinet/sctp_pcb.c +++ b/sys/netinet/sctp_pcb.c @@ -6704,6 +6704,8 @@ next_param: if (p_random != NULL) { keylen = sizeof(*p_random) + random_len; memcpy(new_key->key, p_random, keylen); + } else { + keylen = 0; } /* append in the AUTH chunks */ if (chunks != NULL) { |