[Midnightbsd-cvs] src [7421] trunk/sys/netinet6/sctp6_usrreq.c: A lack of proper input checks in the ICMPv6 processing in the SCTP stack
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Thu Jan 14 08:42:09 EST 2016
Revision: 7421
http://svnweb.midnightbsd.org/src/?rev=7421
Author: laffer1
Date: 2016-01-14 08:42:09 -0500 (Thu, 14 Jan 2016)
Log Message:
-----------
A lack of proper input checks in the ICMPv6 processing in the SCTP stack
can lead to either a failed kernel assertion or to a NULL pointer
dereference. In either case, a kernel panic will follow.
Obtained from: FreeBSD
Modified Paths:
--------------
trunk/sys/netinet6/sctp6_usrreq.c
Modified: trunk/sys/netinet6/sctp6_usrreq.c
===================================================================
--- trunk/sys/netinet6/sctp6_usrreq.c 2016-01-14 13:25:45 UTC (rev 7420)
+++ trunk/sys/netinet6/sctp6_usrreq.c 2016-01-14 13:42:09 UTC (rev 7421)
@@ -502,7 +502,6 @@
* XXX: We assume that when IPV6 is non NULL, M and OFF are
* valid.
*/
- /* check if we can safely examine src and dst ports */
struct sctp_inpcb *inp = NULL;
struct sctp_tcb *stcb = NULL;
struct sctp_nets *net = NULL;
@@ -511,6 +510,10 @@
if (ip6cp->ip6c_m == NULL)
return;
+ /* Check if we can safely examine the SCTP header. */
+ if (ip6cp->ip6c_m->m_pkthdr.len < ip6cp->ip6c_off + sizeof(sh))
+ return;
+
bzero(&sh, sizeof(sh));
bzero(&final, sizeof(final));
inp = NULL;
More information about the Midnightbsd-cvs
mailing list