Improve input validation for parameters in ASCONF and ASCONF-ACK chunks

Thanks to Tolya Korniltsev for drawing my attention to this part of the
code by reporting an issue for the userland stack.
This commit is contained in:
Michael Tuexen
2020-12-23 18:03:47 +01:00
parent 878d53410f
commit 0ec2ce0d32
+2 -2
View File
@@ -723,7 +723,7 @@ sctp_handle_asconf(struct mbuf *m, unsigned int offset,
sctp_m_freem(m_ack);
return;
}
if (param_length <= sizeof(struct sctp_paramhdr)) {
if (param_length < sizeof(struct sctp_asconf_paramhdr)) {
SCTPDBG(SCTP_DEBUG_ASCONF1, "handle_asconf: param length (%u) too short\n", param_length);
sctp_m_freem(m_ack);
return;
@@ -1743,7 +1743,7 @@ sctp_handle_asconf_ack(struct mbuf *m, int offset,
sctp_asconf_ack_clear(stcb);
return;
}
if (param_length < sizeof(struct sctp_paramhdr)) {
if (param_length < sizeof(struct sctp_asconf_paramhdr)) {
sctp_asconf_ack_clear(stcb);
return;
}