Fix the reporting of unknown parameters received in INIT chunks.
This also plugs mbuf leaks. Thanks to Felix Weinrank for reporting
the issue found by fuzz testing the userland stack.
This fixes #255.
diff --git a/usrsctplib/netinet/sctp_output.c b/usrsctplib/netinet/sctp_output.c
index 779e68b..0761597 100755
--- a/usrsctplib/netinet/sctp_output.c
+++ b/usrsctplib/netinet/sctp_output.c
@@ -34,7 +34,7 @@
#ifdef __FreeBSD__
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: head/sys/netinet/sctp_output.c 350254 2019-07-23 18:31:07Z tuexen $");
+__FBSDID("$FreeBSD: head/sys/netinet/sctp_output.c 350520 2019-08-01 19:45:34Z tuexen $");
#endif
#include <netinet/sctp_os.h>
@@ -5376,17 +5376,17 @@
*/
struct sctp_paramhdr *phdr, params;
- struct mbuf *mat, *op_err;
+ struct mbuf *mat, *m_tmp, *op_err, *op_err_last;
int at, limit, pad_needed;
uint16_t ptype, plen, padded_size;
- int err_at;
*abort_processing = 0;
mat = in_initpkt;
- err_at = 0;
limit = ntohs(cp->chunk_length) - sizeof(struct sctp_init_chunk);
at = param_offset;
op_err = NULL;
+ op_err_last = NULL;
+ pad_needed = 0;
SCTPDBG(SCTP_DEBUG_OUTPUT1, "Check for unrecognized param's\n");
phdr = sctp_get_next_param(mat, at, ¶ms, sizeof(params));
while ((phdr != NULL) && ((size_t)limit >= sizeof(struct sctp_paramhdr))) {
@@ -5503,55 +5503,44 @@
break;
case SCTP_HOSTNAME_ADDRESS:
{
- /* We can NOT handle HOST NAME addresses!! */
+ /* Hostname parameters are deprecated. */
+ struct sctp_gen_error_cause *cause;
int l_len;
SCTPDBG(SCTP_DEBUG_OUTPUT1, "Can't handle hostname addresses.. abort processing\n");
*abort_processing = 1;
- if (op_err == NULL) {
- /* Ok need to try to get a mbuf */
+ sctp_m_freem(op_err);
+ op_err = NULL;
+ op_err_last = NULL;
#ifdef INET6
- l_len = SCTP_MIN_OVERHEAD;
+ l_len = SCTP_MIN_OVERHEAD;
#else
- l_len = SCTP_MIN_V4_OVERHEAD;
+ l_len = SCTP_MIN_V4_OVERHEAD;
#endif
- l_len += sizeof(struct sctp_chunkhdr);
- l_len += sizeof(struct sctp_gen_error_cause);
- op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
- if (op_err) {
- SCTP_BUF_LEN(op_err) = 0;
- /*
- * Pre-reserve space for IP, SCTP, and
- * chunk header.
- */
+ l_len += sizeof(struct sctp_chunkhdr);
+ l_len += sizeof(struct sctp_gen_error_cause);
+ op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
+ if (op_err != NULL) {
+ /*
+ * Pre-reserve space for IP, SCTP, and
+ * chunk header.
+ */
#ifdef INET6
- SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
+ SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
#else
- SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
+ SCTP_BUF_RESV_UF(op_err, sizeof(struct ip));
#endif
- SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
- SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
- }
- }
- if (op_err) {
- /* If we have space */
- struct sctp_gen_error_cause cause;
-
- if (err_at % 4) {
- uint32_t cpthis = 0;
-
- pad_needed = 4 - (err_at % 4);
- m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
- err_at += pad_needed;
- }
- cause.code = htons(SCTP_CAUSE_UNRESOLVABLE_ADDR);
- cause.length = htons((uint16_t)(sizeof(struct sctp_gen_error_cause) + plen));
- m_copyback(op_err, err_at, sizeof(struct sctp_gen_error_cause), (caddr_t)&cause);
- err_at += sizeof(struct sctp_gen_error_cause);
+ SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
+ SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
+ SCTP_BUF_LEN(op_err) = sizeof(struct sctp_gen_error_cause);
+ cause = mtod(op_err, struct sctp_gen_error_cause *);
+ cause->code = htons(SCTP_CAUSE_UNRESOLVABLE_ADDR);
+ cause->length = htons((uint16_t)(sizeof(struct sctp_gen_error_cause) + plen));
SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(mat, at, plen, M_NOWAIT);
if (SCTP_BUF_NEXT(op_err) == NULL) {
sctp_m_freem(op_err);
- return (NULL);
+ op_err = NULL;
+ op_err_last = NULL;
}
}
return (op_err);
@@ -5586,37 +5575,55 @@
#endif
SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
+ op_err_last = op_err;
}
}
- if (op_err) {
+ if (op_err != NULL) {
/* If we have space */
- struct sctp_paramhdr s;
+ struct sctp_paramhdr *param;
- if (err_at % 4) {
- uint32_t cpthis = 0;
-
- pad_needed = 4 - (err_at % 4);
- m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
- err_at += pad_needed;
+ if (pad_needed > 0) {
+ op_err_last = sctp_add_pad_tombuf(op_err_last, pad_needed);
}
- s.param_type = htons(SCTP_UNRECOG_PARAM);
- s.param_length = htons((uint16_t)sizeof(struct sctp_paramhdr) + plen);
- m_copyback(op_err, err_at, sizeof(struct sctp_paramhdr), (caddr_t)&s);
- err_at += sizeof(struct sctp_paramhdr);
- SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(mat, at, plen, M_NOWAIT);
- if (SCTP_BUF_NEXT(op_err) == NULL) {
+ if (op_err_last == NULL) {
sctp_m_freem(op_err);
- /*
- * we are out of memory but
- * we still need to have a
- * look at what to do (the
- * system is in trouble
- * though).
- */
op_err = NULL;
+ op_err_last = NULL;
goto more_processing;
}
- err_at += plen;
+ if (M_TRAILINGSPACE(op_err_last) < (int)sizeof(struct sctp_paramhdr)) {
+ m_tmp = sctp_get_mbuf_for_msg(sizeof(struct sctp_paramhdr), 0, M_NOWAIT, 1, MT_DATA);
+ if (m_tmp == NULL) {
+ sctp_m_freem(op_err);
+ op_err = NULL;
+ op_err_last = NULL;
+ goto more_processing;
+ }
+ SCTP_BUF_LEN(m_tmp) = 0;
+ SCTP_BUF_NEXT(m_tmp) = NULL;
+ SCTP_BUF_NEXT(op_err_last) = m_tmp;
+ op_err_last = m_tmp;
+ }
+ param = (struct sctp_paramhdr *)(mtod(op_err_last, caddr_t) + SCTP_BUF_LEN(op_err_last));
+ param->param_type = htons(SCTP_UNRECOG_PARAM);
+ param->param_length = htons((uint16_t)sizeof(struct sctp_paramhdr) + plen);
+ SCTP_BUF_LEN(op_err_last) += sizeof(struct sctp_paramhdr);
+ SCTP_BUF_NEXT(op_err_last) = SCTP_M_COPYM(mat, at, plen, M_NOWAIT);
+ if (SCTP_BUF_NEXT(op_err_last) == NULL) {
+ sctp_m_freem(op_err);
+ op_err = NULL;
+ op_err_last = NULL;
+ goto more_processing;
+ } else {
+ while (SCTP_BUF_NEXT(op_err_last) != NULL) {
+ op_err_last = SCTP_BUF_NEXT(op_err_last);
+ }
+ }
+ if (plen % 4 != 0) {
+ pad_needed = 4 - (plen % 4);
+ } else {
+ pad_needed = 0;
+ }
}
}
more_processing:
@@ -5637,7 +5644,11 @@
invalid_size:
SCTPDBG(SCTP_DEBUG_OUTPUT1, "abort flag set\n");
*abort_processing = 1;
- if ((op_err == NULL) && phdr) {
+ sctp_m_freem(op_err);
+ op_err = NULL;
+ op_err_last = NULL;
+ if (phdr != NULL) {
+ struct sctp_paramhdr *param;
int l_len;
#ifdef INET6
l_len = SCTP_MIN_OVERHEAD;
@@ -5656,25 +5667,15 @@
#endif
SCTP_BUF_RESV_UF(op_err, sizeof(struct sctphdr));
SCTP_BUF_RESV_UF(op_err, sizeof(struct sctp_chunkhdr));
+ SCTP_BUF_LEN(op_err) = 2 * sizeof(struct sctp_paramhdr);
+ param = mtod(op_err, struct sctp_paramhdr *);
+ param->param_type = htons(SCTP_CAUSE_PROTOCOL_VIOLATION);
+ param->param_length = htons(2 * sizeof(struct sctp_paramhdr));
+ param++;
+ param->param_type = htons(ptype);
+ param->param_length = htons(plen);
}
}
- if ((op_err) && phdr) {
- struct sctp_paramhdr s;
-
- if (err_at % 4) {
- uint32_t cpthis = 0;
-
- pad_needed = 4 - (err_at % 4);
- m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
- err_at += pad_needed;
- }
- s.param_type = htons(SCTP_CAUSE_PROTOCOL_VIOLATION);
- s.param_length = htons(sizeof(s) + sizeof(struct sctp_paramhdr));
- m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
- err_at += sizeof(s);
- /* Only copy back the p-hdr that caused the issue */
- m_copyback(op_err, err_at, sizeof(struct sctp_paramhdr), (caddr_t)phdr);
- }
return (op_err);
}
@@ -6011,8 +6012,7 @@
m = sctp_get_mbuf_for_msg(MCLBYTES, 0, M_NOWAIT, 1, MT_DATA);
if (m == NULL) {
/* No memory, INIT timer will re-attempt. */
- if (op_err)
- sctp_m_freem(op_err);
+ sctp_m_freem(op_err);
return;
}
chunk_len = (uint16_t)sizeof(struct sctp_init_ack_chunk);
@@ -6239,8 +6239,11 @@
net->ro._s_addr = sctp_source_address_selection(inp,
stcb, (sctp_route_t *)&net->ro,
net, 0, vrf_id);
- if (net->ro._s_addr == NULL)
+ if (net->ro._s_addr == NULL) {
+ sctp_m_freem(op_err);
+ sctp_m_freem(m);
return;
+ }
net->src_addr_selected = 1;
@@ -6269,8 +6272,11 @@
net->ro._s_addr = sctp_source_address_selection(inp,
stcb, (sctp_route_t *)&net->ro,
net, 0, vrf_id);
- if (net->ro._s_addr == NULL)
+ if (net->ro._s_addr == NULL) {
+ sctp_m_freem(op_err);
+ sctp_m_freem(m);
return;
+ }
net->src_addr_selected = 1;
}
@@ -6358,6 +6364,7 @@
so = inp->sctp_socket;
if (so == NULL) {
/* memory problem */
+ sctp_m_freem(op_err);
sctp_m_freem(m);
return;
} else {
@@ -9593,7 +9600,6 @@
struct sctp_chunkhdr *chdr;
struct sctp_tmit_chunk *chk;
-
if (net == NULL)
/* must have a net pointer */
return;
@@ -9611,13 +9617,8 @@
chdr = mtod(outchain, struct sctp_chunkhdr *);
chdr->chunk_type = SCTP_HEARTBEAT_ACK;
chdr->chunk_flags = 0;
- if (chk_length % 4) {
- /* need pad */
- uint32_t cpthis = 0;
- int padlen;
-
- padlen = 4 - (chk_length % 4);
- m_copyback(outchain, chk_length, padlen, (caddr_t)&cpthis);
+ if (chk_length % 4 != 0) {
+ sctp_pad_lastmbuf(outchain, 4 - (chk_length % 4), NULL);
}
sctp_alloc_a_chunk(stcb, chk);
if (chk == NULL) {
