From a4f9f9bc9fae6f46b41d001be05b017bec00042d Mon Sep 17 00:00:00 2001 From: tuexen Date: Thu, 7 May 2020 01:31:21 +0000 Subject: [PATCH] MFC r352550: Fix invalid handling of ASCONF chunks Fix the handling of invalid parameters in ASCONF chunks. Thanks to Mark Wodrich from Google for reproting the issue in https://github.com/sctplab/usrsctp/issues/376 for the userland stack. --- sys/netinet/sctp_asconf.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sys/netinet/sctp_asconf.c b/sys/netinet/sctp_asconf.c index fe03f54478c4da..43c3df672baa9d 100644 --- a/sys/netinet/sctp_asconf.c +++ b/sys/netinet/sctp_asconf.c @@ -701,6 +701,7 @@ sctp_handle_asconf(struct mbuf *m, unsigned int offset, if (param_length <= sizeof(struct sctp_paramhdr)) { SCTPDBG(SCTP_DEBUG_ASCONF1, "handle_asconf: param length (%u) too short\n", param_length); sctp_m_freem(m_ack); + return; } /* get the entire parameter */ aph = (struct sctp_asconf_paramhdr *)sctp_m_getptr(m, offset, param_length, aparam_buf);