diff options
| author | tuexen <tuexen@FreeBSD.org> | 2017-06-28 21:08:21 +0000 |
|---|---|---|
| committer | tuexen <tuexen@FreeBSD.org> | 2017-06-28 21:08:21 +0000 |
| commit | c036ae9105f347ab3615c94e8bce9fd5c61c06ca (patch) | |
| tree | b8e58e7e0364b7e69abc1b58c2e79d3b106dfeec | |
| parent | ecb5a7e5f9dcad755b6f7a80001364bf3741b617 (diff) | |
| download | FreeBSD-src-c036ae9105f347ab3615c94e8bce9fd5c61c06ca.zip FreeBSD-src-c036ae9105f347ab3615c94e8bce9fd5c61c06ca.tar.gz | |
MFC r320263:
Use a longer buffer for messages in ERROR chunks.
MFC r320264:
Check the length of a COOKIE chunk before accessing fields in it.
MFC r320300:
Handle sctp_get_next_param() in a consistent way.
Approved by: re (marius@)
| -rw-r--r-- | sys/netinet/sctp_auth.c | 53 | ||||
| -rw-r--r-- | sys/netinet/sctp_constants.h | 2 | ||||
| -rw-r--r-- | sys/netinet/sctp_input.c | 20 | ||||
| -rw-r--r-- | sys/netinet/sctp_output.c | 41 | ||||
| -rw-r--r-- | sys/netinet/sctp_pcb.c | 45 |
5 files changed, 89 insertions, 72 deletions
diff --git a/sys/netinet/sctp_auth.c b/sys/netinet/sctp_auth.c index e4abc97..959675d 100644 --- a/sys/netinet/sctp_auth.c +++ b/sys/netinet/sctp_auth.c @@ -1434,7 +1434,7 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m, if (plen > sizeof(random_store)) break; phdr = sctp_get_next_param(m, offset, - (struct sctp_paramhdr *)random_store, min(plen, sizeof(random_store))); + (struct sctp_paramhdr *)random_store, plen); if (phdr == NULL) return; /* save the random and length for the key */ @@ -1447,7 +1447,7 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m, if (plen > sizeof(hmacs_store)) break; phdr = sctp_get_next_param(m, offset, - (struct sctp_paramhdr *)hmacs_store, min(plen, sizeof(hmacs_store))); + (struct sctp_paramhdr *)hmacs_store, plen); if (phdr == NULL) return; /* save the hmacs list and num for the key */ @@ -1469,7 +1469,7 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m, if (plen > sizeof(chunks_store)) break; phdr = sctp_get_next_param(m, offset, - (struct sctp_paramhdr *)chunks_store, min(plen, sizeof(chunks_store))); + (struct sctp_paramhdr *)chunks_store, plen); if (phdr == NULL) return; chunks = (struct sctp_auth_chunk_list *)phdr; @@ -1814,7 +1814,7 @@ sctp_notify_authentication(struct sctp_tcb *stcb, uint32_t indication, int sctp_validate_init_auth_params(struct mbuf *m, int offset, int limit) { - struct sctp_paramhdr *phdr, parm_buf; + struct sctp_paramhdr *phdr, param_buf; uint16_t ptype, plen; int peer_supports_asconf = 0; int peer_supports_auth = 0; @@ -1823,7 +1823,7 @@ sctp_validate_init_auth_params(struct mbuf *m, int offset, int limit) uint8_t saw_asconf_ack = 0; /* go through each of the params. */ - phdr = sctp_get_next_param(m, offset, &parm_buf, sizeof(parm_buf)); + phdr = sctp_get_next_param(m, offset, ¶m_buf, sizeof(param_buf)); while (phdr) { ptype = ntohs(phdr->param_type); plen = ntohs(phdr->param_length); @@ -1837,11 +1837,15 @@ sctp_validate_init_auth_params(struct mbuf *m, int offset, int limit) if (ptype == SCTP_SUPPORTED_CHUNK_EXT) { /* A supported extension chunk */ struct sctp_supported_chunk_types_param *pr_supported; - uint8_t local_store[SCTP_PARAM_BUFFER_SIZE]; + uint8_t local_store[SCTP_SMALL_CHUNK_STORE]; int num_ent, i; + if (plen > sizeof(local_store)) { + break; + } phdr = sctp_get_next_param(m, offset, - (struct sctp_paramhdr *)&local_store, min(plen, sizeof(local_store))); + (struct sctp_paramhdr *)&local_store, + plen); if (phdr == NULL) { return (-1); } @@ -1859,7 +1863,6 @@ sctp_validate_init_auth_params(struct mbuf *m, int offset, int limit) } } } else if (ptype == SCTP_RANDOM) { - got_random = 1; /* enforce the random length */ if (plen != (sizeof(struct sctp_auth_random) + SCTP_AUTH_RANDOM_SIZE_REQUIRED)) { @@ -1867,20 +1870,23 @@ sctp_validate_init_auth_params(struct mbuf *m, int offset, int limit) "SCTP: invalid RANDOM len\n"); return (-1); } + got_random = 1; } else if (ptype == SCTP_HMAC_LIST) { - uint8_t store[SCTP_PARAM_BUFFER_SIZE]; struct sctp_auth_hmac_algo *hmacs; + uint8_t store[SCTP_PARAM_BUFFER_SIZE]; int num_hmacs; - if (plen > sizeof(store)) + if (plen > sizeof(store)) { break; + } phdr = sctp_get_next_param(m, offset, - (struct sctp_paramhdr *)store, min(plen, sizeof(store))); - if (phdr == NULL) + (struct sctp_paramhdr *)store, + plen); + if (phdr == NULL) { return (-1); + } hmacs = (struct sctp_auth_hmac_algo *)phdr; - num_hmacs = (plen - sizeof(*hmacs)) / - sizeof(hmacs->hmac_ids[0]); + num_hmacs = (plen - sizeof(*hmacs)) / sizeof(hmacs->hmac_ids[0]); /* validate the hmac list */ if (sctp_verify_hmac_param(hmacs, num_hmacs)) { SCTPDBG(SCTP_DEBUG_AUTH1, @@ -1889,18 +1895,19 @@ sctp_validate_init_auth_params(struct mbuf *m, int offset, int limit) } got_hmacs = 1; } else if (ptype == SCTP_CHUNK_LIST) { - int i, num_chunks; + struct sctp_auth_chunk_list *chunks; uint8_t chunks_store[SCTP_SMALL_CHUNK_STORE]; + int i, num_chunks; - /* did the peer send a non-empty chunk list? */ - struct sctp_auth_chunk_list *chunks = NULL; - + if (plen > sizeof(chunks_store)) { + break; + } phdr = sctp_get_next_param(m, offset, (struct sctp_paramhdr *)chunks_store, - min(plen, sizeof(chunks_store))); - if (phdr == NULL) + plen); + if (phdr == NULL) { return (-1); - + } /*- * Flip through the list and mark that the * peer supports asconf/asconf_ack. @@ -1922,8 +1929,8 @@ sctp_validate_init_auth_params(struct mbuf *m, int offset, int limit) if (offset >= limit) { break; } - phdr = sctp_get_next_param(m, offset, &parm_buf, - sizeof(parm_buf)); + phdr = sctp_get_next_param(m, offset, ¶m_buf, + sizeof(param_buf)); } /* validate authentication required parameters */ if (got_random && got_hmacs) { diff --git a/sys/netinet/sctp_constants.h b/sys/netinet/sctp_constants.h index e779051..dca34cc 100644 --- a/sys/netinet/sctp_constants.h +++ b/sys/netinet/sctp_constants.h @@ -758,7 +758,7 @@ __FBSDID("$FreeBSD$"); #define SCTP_DEFAULT_SPLIT_POINT_MIN 2904 /* Maximum length of diagnostic information in error causes */ -#define SCTP_DIAG_INFO_LEN 64 +#define SCTP_DIAG_INFO_LEN 128 /* ABORT CODES and other tell-tale location * codes are generated by adding the below diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c index 956b159..360013c 100644 --- a/sys/netinet/sctp_input.c +++ b/sys/netinet/sctp_input.c @@ -2444,6 +2444,12 @@ sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, cookie_offset = offset + sizeof(struct sctp_chunkhdr); cookie_len = ntohs(cp->ch.chunk_length); + if (cookie_len < sizeof(struct sctp_cookie_echo_chunk) + + sizeof(struct sctp_init_chunk) + + sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { + /* cookie too small */ + return (NULL); + } if ((cookie->peerport != sh->src_port) || (cookie->myport != sh->dest_port) || (cookie->my_vtag != sh->v_tag)) { @@ -2456,12 +2462,6 @@ sctp_handle_cookie_echo(struct mbuf *m, int iphlen, int offset, */ return (NULL); } - if (cookie_len < sizeof(struct sctp_cookie_echo_chunk) + - sizeof(struct sctp_init_chunk) + - sizeof(struct sctp_init_ack_chunk) + SCTP_SIGNATURE_SIZE) { - /* cookie too small */ - return (NULL); - } /* * split off the signature into its own mbuf (since it should not be * calculated in the sctp_hmac_m() call). @@ -3620,7 +3620,7 @@ sctp_handle_stream_reset_response(struct sctp_tcb *stcb, struct sctp_stream_reset_response *respin) { uint16_t type; - int lparm_len; + int lparam_len; struct sctp_association *asoc = &stcb->asoc; struct sctp_tmit_chunk *chk; struct sctp_stream_reset_request *req_param; @@ -3637,12 +3637,12 @@ sctp_handle_stream_reset_response(struct sctp_tcb *stcb, if (req_param != NULL) { stcb->asoc.str_reset_seq_out++; type = ntohs(req_param->ph.param_type); - lparm_len = ntohs(req_param->ph.param_length); + lparam_len = ntohs(req_param->ph.param_length); if (type == SCTP_STR_RESET_OUT_REQUEST) { int no_clear = 0; req_out_param = (struct sctp_stream_reset_out_request *)req_param; - number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); + number_entries = (lparam_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); asoc->stream_reset_out_is_outstanding = 0; if (asoc->stream_reset_outstanding) asoc->stream_reset_outstanding--; @@ -3668,7 +3668,7 @@ sctp_handle_stream_reset_response(struct sctp_tcb *stcb, } } else if (type == SCTP_STR_RESET_IN_REQUEST) { req_in_param = (struct sctp_stream_reset_in_request *)req_param; - number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); + number_entries = (lparam_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); if (asoc->stream_reset_outstanding) asoc->stream_reset_outstanding--; if (action == SCTP_STREAM_RESET_RESULT_DENIED) { diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c index 35d8c40..e04486c 100644 --- a/sys/netinet/sctp_output.c +++ b/sys/netinet/sctp_output.c @@ -1940,7 +1940,7 @@ static struct mbuf * sctp_add_addr_to_mbuf(struct mbuf *m, struct sctp_ifa *ifa, uint16_t *len) { #if defined(INET) || defined(INET6) - struct sctp_paramhdr *parmh; + struct sctp_paramhdr *paramh; struct mbuf *mret; uint16_t plen; #endif @@ -1962,7 +1962,7 @@ sctp_add_addr_to_mbuf(struct mbuf *m, struct sctp_ifa *ifa, uint16_t *len) #if defined(INET) || defined(INET6) if (M_TRAILINGSPACE(m) >= plen) { /* easy side we just drop it on the end */ - parmh = (struct sctp_paramhdr *)(SCTP_BUF_AT(m, SCTP_BUF_LEN(m))); + paramh = (struct sctp_paramhdr *)(SCTP_BUF_AT(m, SCTP_BUF_LEN(m))); mret = m; } else { /* Need more space */ @@ -1976,7 +1976,7 @@ sctp_add_addr_to_mbuf(struct mbuf *m, struct sctp_ifa *ifa, uint16_t *len) return (m); } mret = SCTP_BUF_NEXT(mret); - parmh = mtod(mret, struct sctp_paramhdr *); + paramh = mtod(mret, struct sctp_paramhdr *); } /* now add the parameter */ switch (ifa->address.sa.sa_family) { @@ -1987,9 +1987,9 @@ sctp_add_addr_to_mbuf(struct mbuf *m, struct sctp_ifa *ifa, uint16_t *len) struct sockaddr_in *sin; sin = &ifa->address.sin; - ipv4p = (struct sctp_ipv4addr_param *)parmh; - parmh->param_type = htons(SCTP_IPV4_ADDRESS); - parmh->param_length = htons(plen); + ipv4p = (struct sctp_ipv4addr_param *)paramh; + paramh->param_type = htons(SCTP_IPV4_ADDRESS); + paramh->param_length = htons(plen); ipv4p->addr = sin->sin_addr.s_addr; SCTP_BUF_LEN(mret) += plen; break; @@ -2002,9 +2002,9 @@ sctp_add_addr_to_mbuf(struct mbuf *m, struct sctp_ifa *ifa, uint16_t *len) struct sockaddr_in6 *sin6; sin6 = &ifa->address.sin6; - ipv6p = (struct sctp_ipv6addr_param *)parmh; - parmh->param_type = htons(SCTP_IPV6_ADDRESS); - parmh->param_length = htons(plen); + ipv6p = (struct sctp_ipv6addr_param *)paramh; + paramh->param_type = htons(SCTP_IPV6_ADDRESS); + paramh->param_length = htons(plen); memcpy(ipv6p->addr, &sin6->sin6_addr, sizeof(ipv6p->addr)); /* clear embedded scope in the address */ @@ -5141,7 +5141,10 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt, s.param_length = htons(sizeof(s) + plen); m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s); err_at += sizeof(s); - phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, min(sizeof(tempbuf), plen)); + if (plen > sizeof(tempbuf)) { + plen = sizeof(tempbuf); + } + phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, plen); if (phdr == NULL) { sctp_m_freem(op_err); /* @@ -5209,7 +5212,7 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt, if (plen > sizeof(tempbuf)) { plen = sizeof(tempbuf); } - phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, min(sizeof(tempbuf), plen)); + phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, plen); if (phdr == NULL) { sctp_m_freem(op_err); /* @@ -5390,10 +5393,12 @@ sctp_are_there_new_addresses(struct sctp_association *asoc, { struct sctp_ipv4addr_param *p4, p4_buf; + if (plen != sizeof(struct sctp_ipv4addr_param)) { + return (1); + } phdr = sctp_get_next_param(in_initpkt, offset, (struct sctp_paramhdr *)&p4_buf, sizeof(p4_buf)); - if (plen != sizeof(struct sctp_ipv4addr_param) || - phdr == NULL) { + if (phdr == NULL) { return (1); } if (asoc->scope.ipv4_addr_legal) { @@ -5409,10 +5414,12 @@ sctp_are_there_new_addresses(struct sctp_association *asoc, { struct sctp_ipv6addr_param *p6, p6_buf; + if (plen != sizeof(struct sctp_ipv6addr_param)) { + return (1); + } phdr = sctp_get_next_param(in_initpkt, offset, (struct sctp_paramhdr *)&p6_buf, sizeof(p6_buf)); - if (plen != sizeof(struct sctp_ipv6addr_param) || - phdr == NULL) { + if (phdr == NULL) { return (1); } if (asoc->scope.ipv6_addr_legal) { @@ -9000,7 +9007,7 @@ sctp_send_cookie_echo(struct mbuf *m, */ int at; struct mbuf *cookie; - struct sctp_paramhdr parm, *phdr; + struct sctp_paramhdr param, *phdr; struct sctp_chunkhdr *hdr; struct sctp_tmit_chunk *chk; uint16_t ptype, plen; @@ -9010,7 +9017,7 @@ sctp_send_cookie_echo(struct mbuf *m, cookie = NULL; at = offset + sizeof(struct sctp_init_chunk); for (;;) { - phdr = sctp_get_next_param(m, at, &parm, sizeof(parm)); + phdr = sctp_get_next_param(m, at, ¶m, sizeof(param)); if (phdr == NULL) { return (-3); } diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c index 551a9cb..562401f 100644 --- a/sys/netinet/sctp_pcb.c +++ b/sys/netinet/sctp_pcb.c @@ -2046,7 +2046,7 @@ sctp_findassociation_special_addr(struct mbuf *m, int offset, struct sctphdr *sh, struct sctp_inpcb **inp_p, struct sctp_nets **netp, struct sockaddr *dst) { - struct sctp_paramhdr *phdr, parm_buf; + struct sctp_paramhdr *phdr, param_buf; #if defined(INET) || defined(INET6) struct sctp_tcb *stcb; uint16_t ptype; @@ -2074,7 +2074,7 @@ sctp_findassociation_special_addr(struct mbuf *m, int offset, offset += sizeof(struct sctp_init_chunk); - phdr = sctp_get_next_param(m, offset, &parm_buf, sizeof(parm_buf)); + phdr = sctp_get_next_param(m, offset, ¶m_buf, sizeof(param_buf)); while (phdr != NULL) { /* now we must see if we want the parameter */ #if defined(INET) || defined(INET6) @@ -2088,10 +2088,10 @@ sctp_findassociation_special_addr(struct mbuf *m, int offset, if (ptype == SCTP_IPV4_ADDRESS && plen == sizeof(struct sctp_ipv4addr_param)) { /* Get the rest of the address */ - struct sctp_ipv4addr_param ip4_parm, *p4; + struct sctp_ipv4addr_param ip4_param, *p4; phdr = sctp_get_next_param(m, offset, - (struct sctp_paramhdr *)&ip4_parm, min(plen, sizeof(ip4_parm))); + (struct sctp_paramhdr *)&ip4_param, sizeof(ip4_param)); if (phdr == NULL) { return (NULL); } @@ -2109,10 +2109,10 @@ sctp_findassociation_special_addr(struct mbuf *m, int offset, if (ptype == SCTP_IPV6_ADDRESS && plen == sizeof(struct sctp_ipv6addr_param)) { /* Get the rest of the address */ - struct sctp_ipv6addr_param ip6_parm, *p6; + struct sctp_ipv6addr_param ip6_param, *p6; phdr = sctp_get_next_param(m, offset, - (struct sctp_paramhdr *)&ip6_parm, min(plen, sizeof(ip6_parm))); + (struct sctp_paramhdr *)&ip6_param, sizeof(ip6_param)); if (phdr == NULL) { return (NULL); } @@ -2127,8 +2127,8 @@ sctp_findassociation_special_addr(struct mbuf *m, int offset, } #endif offset += SCTP_SIZE32(plen); - phdr = sctp_get_next_param(m, offset, &parm_buf, - sizeof(parm_buf)); + phdr = sctp_get_next_param(m, offset, ¶m_buf, + sizeof(param_buf)); } return (NULL); } @@ -2301,7 +2301,7 @@ sctp_findassociation_ep_asconf(struct mbuf *m, int offset, { struct sctp_tcb *stcb; union sctp_sockstore remote_store; - struct sctp_paramhdr parm_buf, *phdr; + struct sctp_paramhdr param_buf, *phdr; int ptype; int zero_address = 0; #ifdef INET @@ -2313,7 +2313,7 @@ sctp_findassociation_ep_asconf(struct mbuf *m, int offset, memset(&remote_store, 0, sizeof(remote_store)); phdr = sctp_get_next_param(m, offset + sizeof(struct sctp_asconf_chunk), - &parm_buf, sizeof(struct sctp_paramhdr)); + ¶m_buf, sizeof(struct sctp_paramhdr)); if (phdr == NULL) { SCTPDBG(SCTP_DEBUG_INPUT3, "%s: failed to get asconf lookup addr\n", __func__); @@ -2333,7 +2333,7 @@ sctp_findassociation_ep_asconf(struct mbuf *m, int offset, } p6 = (struct sctp_ipv6addr_param *)sctp_get_next_param(m, offset + sizeof(struct sctp_asconf_chunk), - &p6_buf.ph, sizeof(*p6)); + &p6_buf.ph, sizeof(p6_buf)); if (p6 == NULL) { SCTPDBG(SCTP_DEBUG_INPUT3, "%s: failed to get asconf v6 lookup addr\n", __func__); @@ -2360,7 +2360,7 @@ sctp_findassociation_ep_asconf(struct mbuf *m, int offset, } p4 = (struct sctp_ipv4addr_param *)sctp_get_next_param(m, offset + sizeof(struct sctp_asconf_chunk), - &p4_buf.ph, sizeof(*p4)); + &p4_buf.ph, sizeof(p4_buf)); if (p4 == NULL) { SCTPDBG(SCTP_DEBUG_INPUT3, "%s: failed to get asconf v4 lookup addr\n", __func__); @@ -6026,7 +6026,7 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m, */ struct sctp_inpcb *inp; struct sctp_nets *net, *nnet, *net_tmp; - struct sctp_paramhdr *phdr, parm_buf; + struct sctp_paramhdr *phdr, param_buf; struct sctp_tcb *stcb_tmp; uint16_t ptype, plen; struct sockaddr *sa; @@ -6136,7 +6136,7 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m, return (-4); } /* now we must go through each of the params. */ - phdr = sctp_get_next_param(m, offset, &parm_buf, sizeof(parm_buf)); + phdr = sctp_get_next_param(m, offset, ¶m_buf, sizeof(param_buf)); while (phdr) { ptype = ntohs(phdr->param_type); plen = ntohs(phdr->param_length); @@ -6374,7 +6374,7 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m, } phdr = sctp_get_next_param(m, offset, (struct sctp_paramhdr *)&lstore, - min(plen, sizeof(lstore))); + plen); if (phdr == NULL) { return (-24); } @@ -6427,8 +6427,11 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m, uint8_t local_store[SCTP_PARAM_BUFFER_SIZE]; int num_ent, i; + if (plen > sizeof(local_store)) { + return (-35); + } phdr = sctp_get_next_param(m, offset, - (struct sctp_paramhdr *)&local_store, min(sizeof(local_store), plen)); + (struct sctp_paramhdr *)&local_store, plen); if (phdr == NULL) { return (-25); } @@ -6475,7 +6478,7 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m, } phdr = sctp_get_next_param(m, offset, (struct sctp_paramhdr *)random_store, - min(sizeof(random_store), plen)); + plen); if (phdr == NULL) return (-26); p_random = (struct sctp_auth_random *)phdr; @@ -6498,7 +6501,7 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m, } phdr = sctp_get_next_param(m, offset, (struct sctp_paramhdr *)hmacs_store, - min(plen, sizeof(hmacs_store))); + plen); if (phdr == NULL) return (-28); hmacs = (struct sctp_auth_hmac_algo *)phdr; @@ -6529,7 +6532,7 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m, } phdr = sctp_get_next_param(m, offset, (struct sctp_paramhdr *)chunks_store, - min(plen, sizeof(chunks_store))); + plen); if (phdr == NULL) return (-30); chunks = (struct sctp_auth_chunk_list *)phdr; @@ -6577,8 +6580,8 @@ next_param: if (offset >= limit) { break; } - phdr = sctp_get_next_param(m, offset, &parm_buf, - sizeof(parm_buf)); + phdr = sctp_get_next_param(m, offset, ¶m_buf, + sizeof(param_buf)); } /* Now check to see if we need to purge any addresses */ TAILQ_FOREACH_SAFE(net, &stcb->asoc.nets, sctp_next, nnet) { |
