From 0d7b7b74c6015a068c410238295e0e7304af6a29 Mon Sep 17 00:00:00 2001 From: Michael Tuexen Date: Wed, 29 Jul 2020 13:36:37 +0000 Subject: [WebRTC] Stop putting addresses in the cookie chunk. When using AF_CONN addresses, don't put these in the COOKIE chunk. For these addresses it is possible to reconstruct them locally. Conceptually, addresses are something to be shared with the peer, but in the case of AF_CONN this might not be the case. Therefore, zero then out. Thanks to Natalie Silvanovich of Google Project Zero for finding and reporting the issue. --- netwerk/sctp/src/netinet/sctp_input.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'netwerk/sctp/src/netinet/sctp_input.c') diff --git a/netwerk/sctp/src/netinet/sctp_input.c b/netwerk/sctp/src/netinet/sctp_input.c index 1301b430c..f469e0f5c 100755 --- a/netwerk/sctp/src/netinet/sctp_input.c +++ b/netwerk/sctp/src/netinet/sctp_input.c @@ -2517,6 +2517,27 @@ sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, /* cookie too small */ return (NULL); } +#if defined(__Userspace__) + /* + * Recover the AF_CONN addresses within the cookie. + * This needs to be done in the buffer provided for later processing + * of the cookie and in the mbuf chain for HMAC validation. + */ + if ((cookie->addr_type == SCTP_CONN_ADDRESS) && (src->sa_family == AF_CONN)) { + struct sockaddr_conn *sconnp = (struct sockaddr_conn *)src; + + memcpy(cookie->address, &sconnp->sconn_addr , sizeof(void *)); + m_copyback(m, cookie_offset + offsetof(struct sctp_state_cookie, address), + (int)sizeof(void *), (caddr_t)&sconnp->sconn_addr); + } + if ((cookie->laddr_type == SCTP_CONN_ADDRESS) && (dst->sa_family == AF_CONN)) { + struct sockaddr_conn *sconnp = (struct sockaddr_conn *)dst; + + memcpy(cookie->laddress, &sconnp->sconn_addr , sizeof(void *)); + m_copyback(m, cookie_offset + offsetof(struct sctp_state_cookie, laddress), + (int)sizeof(void *), (caddr_t)&sconnp->sconn_addr); + } +#endif /* * split off the signature into its own mbuf (since it should not be * calculated in the sctp_hmac_m() call). -- cgit v1.2.3