pf: improve ASCONF chunk validation
When processing an ASCONF chunk we failed to verify that the chunk length was at least 8 bytes. As a result we might end up passing a negative length to pf_multihome_scan(). Fortunately this merely meant the function did nothing, but we should discard such invalid packets, so explicitly check for this. MFC after: 1 week Reported by: Mark Johnston Sponsored by: Orange Business Services
This commit is contained in:
@@ -8462,6 +8462,9 @@ pf_multihome_scan(int start, int len, struct pf_pdesc *pd, int op)
|
||||
NULL, pd->af))
|
||||
return (PF_DROP);
|
||||
|
||||
if (ntohs(ah.ph.param_length) < sizeof(ah))
|
||||
return (PF_DROP);
|
||||
|
||||
ret = pf_multihome_scan(start + off + sizeof(ah),
|
||||
ntohs(ah.ph.param_length) - sizeof(ah), pd,
|
||||
SCTP_ADD_IP_ADDRESS);
|
||||
@@ -8476,6 +8479,10 @@ pf_multihome_scan(int start, int len, struct pf_pdesc *pd, int op)
|
||||
if (!pf_pull_hdr(pd->m, start + off, &ah, sizeof(ah),
|
||||
NULL, pd->af))
|
||||
return (PF_DROP);
|
||||
|
||||
if (ntohs(ah.ph.param_length) < sizeof(ah))
|
||||
return (PF_DROP);
|
||||
|
||||
ret = pf_multihome_scan(start + off + sizeof(ah),
|
||||
ntohs(ah.ph.param_length) - sizeof(ah), pd,
|
||||
SCTP_DEL_IP_ADDRESS);
|
||||
|
||||
Reference in New Issue
Block a user