From 0ec2ce0d32735e14708653ea08da055816f3f817 Mon Sep 17 00:00:00 2001 From: Michael Tuexen Date: Wed, 23 Dec 2020 18:03:47 +0100 Subject: [PATCH] Improve input validation for parameters in ASCONF and ASCONF-ACK chunks Thanks to Tolya Korniltsev for drawing my attention to this part of the code by reporting an issue for the userland stack. --- sys/netinet/sctp_asconf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/netinet/sctp_asconf.c b/sys/netinet/sctp_asconf.c index 3e425afef81..c06ddf7b1f2 100644 --- a/sys/netinet/sctp_asconf.c +++ b/sys/netinet/sctp_asconf.c @@ -723,7 +723,7 @@ sctp_handle_asconf(struct mbuf *m, unsigned int offset, sctp_m_freem(m_ack); return; } - if (param_length <= sizeof(struct sctp_paramhdr)) { + if (param_length < sizeof(struct sctp_asconf_paramhdr)) { SCTPDBG(SCTP_DEBUG_ASCONF1, "handle_asconf: param length (%u) too short\n", param_length); sctp_m_freem(m_ack); return; @@ -1743,7 +1743,7 @@ sctp_handle_asconf_ack(struct mbuf *m, int offset, sctp_asconf_ack_clear(stcb); return; } - if (param_length < sizeof(struct sctp_paramhdr)) { + if (param_length < sizeof(struct sctp_asconf_paramhdr)) { sctp_asconf_ack_clear(stcb); return; }