Improve input validation for parameters in ASCONF and ASCONF-ACK chunks
Thanks to Tolya Korniltsev for drawing my attention to this part of the code by reporting an issue for the userland stack.
This commit is contained in:
@@ -723,7 +723,7 @@ sctp_handle_asconf(struct mbuf *m, unsigned int offset,
|
||||
sctp_m_freem(m_ack);
|
||||
return;
|
||||
}
|
||||
if (param_length <= sizeof(struct sctp_paramhdr)) {
|
||||
if (param_length < sizeof(struct sctp_asconf_paramhdr)) {
|
||||
SCTPDBG(SCTP_DEBUG_ASCONF1, "handle_asconf: param length (%u) too short\n", param_length);
|
||||
sctp_m_freem(m_ack);
|
||||
return;
|
||||
@@ -1743,7 +1743,7 @@ sctp_handle_asconf_ack(struct mbuf *m, int offset,
|
||||
sctp_asconf_ack_clear(stcb);
|
||||
return;
|
||||
}
|
||||
if (param_length < sizeof(struct sctp_paramhdr)) {
|
||||
if (param_length < sizeof(struct sctp_asconf_paramhdr)) {
|
||||
sctp_asconf_ack_clear(stcb);
|
||||
return;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user