Improve input validation of the spp_pathmtu field in the
SCTP_PEER_ADDR_PARAMS socket option. The code in the stack assumes
sane values for the MTU.
This issue was found by running an instance of syzkaller.
diff --git a/usrsctplib/netinet/sctp.h b/usrsctplib/netinet/sctp.h
index 4a7c12d..ee5c0ba 100755
--- a/usrsctplib/netinet/sctp.h
+++ b/usrsctplib/netinet/sctp.h
@@ -1,3 +1,4 @@
+
/*-
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -34,7 +35,7 @@
#ifdef __FreeBSD__
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: head/sys/netinet/sctp.h 345461 2019-03-23 22:56:03Z tuexen $");
+__FBSDID("$FreeBSD: head/sys/netinet/sctp.h 356270 2020-01-02 13:55:10Z tuexen $");
#endif
#ifndef _NETINET_SCTP_H_
@@ -609,7 +610,10 @@
#define SCTP_MOBILITY_PRIM_DELETED 0x00000004
-#define SCTP_SMALLEST_PMTU 512 /* smallest pmtu allowed when disabling PMTU discovery */
+/* Smallest PMTU allowed when disabling PMTU discovery */
+#define SCTP_SMALLEST_PMTU 512
+/* Largest PMTU allowed when disabling PMTU discovery */
+#define SCTP_LARGEST_PMTU 65536
#if defined(__Userspace_os_Windows)
#pragma pack(pop)
diff --git a/usrsctplib/netinet/sctp_usrreq.c b/usrsctplib/netinet/sctp_usrreq.c
index c10dabb..6a19f62 100755
--- a/usrsctplib/netinet/sctp_usrreq.c
+++ b/usrsctplib/netinet/sctp_usrreq.c
@@ -34,7 +34,7 @@
#ifdef __FreeBSD__
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: head/sys/netinet/sctp_usrreq.c 355265 2019-12-01 17:35:36Z tuexen $");
+__FBSDID("$FreeBSD: head/sys/netinet/sctp_usrreq.c 356270 2020-01-02 13:55:10Z tuexen $");
#endif
#include <netinet/sctp_os.h>
@@ -6210,6 +6210,14 @@
SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
return (EINVAL);
}
+ if ((paddrp->spp_flags & SPP_PMTUD_DISABLE) &&
+ ((paddrp->spp_pathmtu < SCTP_SMALLEST_PMTU) ||
+ (paddrp->spp_pathmtu > SCTP_LARGEST_PMTU))) {
+ if (stcb)
+ SCTP_TCB_UNLOCK(stcb);
+ SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
+ return (EINVAL);
+ }
if (stcb != NULL) {
/************************TCB SPECIFIC SET ******************/
@@ -6241,7 +6249,7 @@
sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, inp, stcb, net);
}
}
- if ((paddrp->spp_flags & SPP_PMTUD_DISABLE) && (paddrp->spp_pathmtu >= SCTP_SMALLEST_PMTU)) {
+ if (paddrp->spp_flags & SPP_PMTUD_DISABLE) {
if (SCTP_OS_TIMER_PENDING(&net->pmtu_timer.timer)) {
sctp_timer_stop(SCTP_TIMER_TYPE_PATHMTURAISE, inp, stcb, net,
SCTP_FROM_SCTP_USRREQ + SCTP_LOC_11);
@@ -6388,7 +6396,7 @@
}
sctp_stcb_feature_on(inp, stcb, SCTP_PCB_FLAGS_DONOT_HEARTBEAT);
}
- if ((paddrp->spp_flags & SPP_PMTUD_DISABLE) && (paddrp->spp_pathmtu >= SCTP_SMALLEST_PMTU)) {
+ if (paddrp->spp_flags & SPP_PMTUD_DISABLE) {
TAILQ_FOREACH(net, &stcb->asoc.nets, sctp_next) {
if (SCTP_OS_TIMER_PENDING(&net->pmtu_timer.timer)) {
sctp_timer_stop(SCTP_TIMER_TYPE_PATHMTURAISE, inp, stcb, net,
@@ -6491,9 +6499,7 @@
inp->sctp_ep.default_mtu = 0;
sctp_feature_off(inp, SCTP_PCB_FLAGS_DO_NOT_PMTUD);
} else if (paddrp->spp_flags & SPP_PMTUD_DISABLE) {
- if (paddrp->spp_pathmtu >= SCTP_SMALLEST_PMTU) {
- inp->sctp_ep.default_mtu = paddrp->spp_pathmtu;
- }
+ inp->sctp_ep.default_mtu = paddrp->spp_pathmtu;
sctp_feature_on(inp, SCTP_PCB_FLAGS_DO_NOT_PMTUD);
}
if (paddrp->spp_flags & SPP_DSCP) {
