Improve input validation for some parameters having a too small reported length.
Thanks to Natalie Silvanovich from Google for finding one of these
issues in the SCTP userland stack and reporting it.
diff --git a/usrsctplib/netinet/sctp_auth.c b/usrsctplib/netinet/sctp_auth.c
index 5e5813b..bc645b3 100755
--- a/usrsctplib/netinet/sctp_auth.c
+++ b/usrsctplib/netinet/sctp_auth.c
@@ -34,7 +34,7 @@
#ifdef __FreeBSD__
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.c 334532 2018-06-02 16:28:10Z tuexen $");
+__FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.c 355931 2019-12-20 15:25:08Z tuexen $");
#endif
#include <netinet/sctp_os.h>
@@ -1455,7 +1455,8 @@
ptype = ntohs(phdr->param_type);
plen = ntohs(phdr->param_length);
- if ((plen == 0) || (offset + plen > length))
+ if ((plen < sizeof(struct sctp_paramhdr)) ||
+ (offset + plen > length))
break;
if (ptype == SCTP_RANDOM) {
diff --git a/usrsctplib/netinet/sctp_pcb.c b/usrsctplib/netinet/sctp_pcb.c
index 6efcbab..355686f 100755
--- a/usrsctplib/netinet/sctp_pcb.c
+++ b/usrsctplib/netinet/sctp_pcb.c
@@ -34,7 +34,7 @@
#ifdef __FreeBSD__
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: head/sys/netinet/sctp_pcb.c 334532 2018-06-02 16:28:10Z tuexen $");
+__FBSDID("$FreeBSD: head/sys/netinet/sctp_pcb.c 355931 2019-12-20 15:25:08Z tuexen $");
#endif
#include <netinet/sctp_os.h>
@@ -7246,7 +7246,7 @@
if (offset + plen > limit) {
break;
}
- if (plen == 0) {
+ if (plen < sizeof(struct sctp_paramhdr)) {
break;
}
#ifdef INET
@@ -7462,6 +7462,9 @@
if (plen > sizeof(lstore)) {
return (-23);
}
+ if (plen < sizeof(struct sctp_asconf_addrv4_param)) {
+ return (-101);
+ }
phdr = sctp_get_next_param(m, offset,
(struct sctp_paramhdr *)&lstore,
plen);