Fix the handling of invalid parameters in ASCONF chunks.

Thanks to Mark Wodrich from Google for reproting the issue in sctplab/usrsctp#376 for the userland stack. MFC after: 3 days git-svn-id: https://svn.freebsd.org/base/head@352550 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
mat813 · Sep 20, 2019 · bce00f0 · bce00f0
1 parent 542f3cb
commit bce00f0
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/sys/netinet/sctp_asconf.c b/sys/netinet/sctp_asconf.c
@@ -703,6 +703,7 @@ sctp_handle_asconf(struct mbuf *m, unsigned int offset,
 		if (param_length <= sizeof(struct sctp_paramhdr)) {
 			SCTPDBG(SCTP_DEBUG_ASCONF1, "handle_asconf: param length (%u) too short\n", param_length);
 			sctp_m_freem(m_ack);
+			return;
 		}
 		/* get the entire parameter */
 		aph = (struct sctp_asconf_paramhdr *)sctp_m_getptr(m, offset, param_length, aparam_buf);