diff options
-rwxr-xr-x | netwerk/sctp/src/netinet/sctp.h | 7 | ||||
-rwxr-xr-x | netwerk/sctp/src/netinet/sctp_auth.c | 5 | ||||
-rwxr-xr-x | netwerk/sctp/src/netinet/sctp_pcb.c | 7 | ||||
-rwxr-xr-x | netwerk/sctp/src/netinet/sctp_usrreq.c | 14 |
4 files changed, 24 insertions, 9 deletions
diff --git a/netwerk/sctp/src/netinet/sctp.h b/netwerk/sctp/src/netinet/sctp.h index a5ff4eb0b..962ce1140 100755 --- a/netwerk/sctp/src/netinet/sctp.h +++ b/netwerk/sctp/src/netinet/sctp.h @@ -32,7 +32,7 @@ #ifdef __FreeBSD__ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: head/sys/netinet/sctp.h 279859 2015-03-10 19:49:25Z tuexen $"); +__FBSDID("$FreeBSD: head/sys/netinet/sctp.h 356270 2020-01-02 13:55:10Z tuexen $"); #endif #ifndef _NETINET_SCTP_H_ @@ -598,7 +598,10 @@ struct sctp_error_no_user_data { #define SCTP_MOBILITY_PRIM_DELETED 0x00000004 -#define SCTP_SMALLEST_PMTU 512 /* smallest pmtu allowed when disabling PMTU discovery */ +/* Smallest PMTU allowed when disabling PMTU discovery */ +#define SCTP_SMALLEST_PMTU 512 +/* Largest PMTU allowed when disabling PMTU discovery */ +#define SCTP_LARGEST_PMTU 65536 #if defined(__Userspace_os_Windows) #pragma pack() diff --git a/netwerk/sctp/src/netinet/sctp_auth.c b/netwerk/sctp/src/netinet/sctp_auth.c index ee5ca36ce..4e9f7e4cd 100755 --- a/netwerk/sctp/src/netinet/sctp_auth.c +++ b/netwerk/sctp/src/netinet/sctp_auth.c @@ -32,7 +32,7 @@ #ifdef __FreeBSD__ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.c 271673 2014-09-16 14:20:33Z tuexen $"); +__FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.c 355931 2019-12-20 15:25:08Z tuexen $"); #endif #include <netinet/sctp_os.h> @@ -1450,7 +1450,8 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m, ptype = ntohs(phdr->param_type); plen = ntohs(phdr->param_length); - if ((plen == 0) || (offset + plen > length)) + if ((plen < sizeof(struct sctp_paramhdr)) || + (offset + plen > length)) break; if (ptype == SCTP_RANDOM) { diff --git a/netwerk/sctp/src/netinet/sctp_pcb.c b/netwerk/sctp/src/netinet/sctp_pcb.c index 58c164f50..ea5725c85 100755 --- a/netwerk/sctp/src/netinet/sctp_pcb.c +++ b/netwerk/sctp/src/netinet/sctp_pcb.c @@ -32,7 +32,7 @@ #ifdef __FreeBSD__ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: head/sys/netinet/sctp_pcb.c 280459 2015-03-24 21:12:45Z tuexen $"); +__FBSDID("$FreeBSD: head/sys/netinet/sctp_pcb.c 355931 2019-12-20 15:25:08Z tuexen $"); #endif #include <netinet/sctp_os.h> @@ -7213,7 +7213,7 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m, if (offset + plen > limit) { break; } - if (plen == 0) { + if (plen < sizeof(struct sctp_paramhdr)) { break; } #ifdef INET @@ -7413,6 +7413,9 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m, if (plen > sizeof(lstore)) { return (-23); } + if (plen < sizeof(struct sctp_asconf_addrv4_param)) { + return (-101); + } phdr = sctp_get_next_param(m, offset, (struct sctp_paramhdr *)&lstore, min(plen,sizeof(lstore))); diff --git a/netwerk/sctp/src/netinet/sctp_usrreq.c b/netwerk/sctp/src/netinet/sctp_usrreq.c index d24a21815..7ffd8e8c8 100755 --- a/netwerk/sctp/src/netinet/sctp_usrreq.c +++ b/netwerk/sctp/src/netinet/sctp_usrreq.c @@ -32,7 +32,7 @@ #ifdef __FreeBSD__ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: head/sys/netinet/sctp_usrreq.c 280459 2015-03-24 21:12:45Z tuexen $"); +__FBSDID("$FreeBSD: head/sys/netinet/sctp_usrreq.c 356270 2020-01-02 13:55:10Z tuexen $"); #endif #include <netinet/sctp_os.h> @@ -5995,6 +5995,14 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize, SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL); return (EINVAL); } + if ((paddrp->spp_flags & SPP_PMTUD_DISABLE) && + ((paddrp->spp_pathmtu < SCTP_SMALLEST_PMTU) || + (paddrp->spp_pathmtu > SCTP_LARGEST_PMTU))) { + if (stcb) + SCTP_TCB_UNLOCK(stcb); + SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL); + return (EINVAL); + } if (stcb != NULL) { /************************TCB SPECIFIC SET ******************/ @@ -6038,7 +6046,7 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize, sctp_chunk_output(inp, stcb, SCTP_OUTPUT_FROM_SOCKOPT, SCTP_SO_LOCKED); sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net); } - if ((paddrp->spp_flags & SPP_PMTUD_DISABLE) && (paddrp->spp_pathmtu >= SCTP_SMALLEST_PMTU)) { + if (paddrp->spp_flags & SPP_PMTUD_DISABLE) { if (SCTP_OS_TIMER_PENDING(&net->pmtu_timer.timer)) { sctp_timer_stop(SCTP_TIMER_TYPE_PATHMTURAISE, inp, stcb, net, SCTP_FROM_SCTP_USRREQ+SCTP_LOC_10); @@ -6160,7 +6168,7 @@ sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize, } sctp_stcb_feature_on(inp, stcb, SCTP_PCB_FLAGS_DONOT_HEARTBEAT); } - if ((paddrp->spp_flags & SPP_PMTUD_DISABLE) && (paddrp->spp_pathmtu >= SCTP_SMALLEST_PMTU)) { + if (paddrp->spp_flags & SPP_PMTUD_DISABLE) { TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) { if (SCTP_OS_TIMER_PENDING(&net->pmtu_timer.timer)) { sctp_timer_stop(SCTP_TIMER_TYPE_PATHMTURAISE, inp, stcb, net, |