diff options
author | tuexen <tuexen@FreeBSD.org> | 2014-10-12 17:42:32 +0000 |
---|---|---|
committer | tuexen <tuexen@FreeBSD.org> | 2014-10-12 17:42:32 +0000 |
commit | b0912548c1bccd50c002f365243e2ed313f04af0 (patch) | |
tree | 0ed10796733501f188d73953db82196cbcfe23a3 /sys/netinet | |
parent | 85569fa02c3eacfedb0cf0a7c4a912fd9895d3b2 (diff) | |
download | FreeBSD-src-b0912548c1bccd50c002f365243e2ed313f04af0.zip FreeBSD-src-b0912548c1bccd50c002f365243e2ed313f04af0.tar.gz |
MFC r272751:
Ensure that the list of streams sent in a stream reset parameter fits
in an mbuf-cluster.
Thanks to Peter Bostroem for drawing my attention to this part of the code.
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/sctp_output.c | 10 | ||||
-rw-r--r-- | sys/netinet/sctp_output.h | 4 |
2 files changed, 11 insertions, 3 deletions
diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c index 8260ba7..7cbb30f 100644 --- a/sys/netinet/sctp_output.c +++ b/sys/netinet/sctp_output.c @@ -11846,7 +11846,7 @@ sctp_add_an_in_stream(struct sctp_tmit_chunk *chk, int sctp_send_str_reset_req(struct sctp_tcb *stcb, - int number_entries, uint16_t * list, + uint16_t number_entries, uint16_t * list, uint8_t send_out_req, uint8_t send_in_req, uint8_t send_tsn_req, @@ -11879,6 +11879,14 @@ sctp_send_str_reset_req(struct sctp_tcb *stcb, SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, EINVAL); return (EINVAL); } + if (number_entries > (MCLBYTES - + SCTP_MIN_OVERHEAD - + sizeof(struct sctp_chunkhdr) - + sizeof(struct sctp_stream_reset_out_request)) / + sizeof(uint16_t)) { + SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM); + return (ENOMEM); + } sctp_alloc_a_chunk(stcb, chk); if (chk == NULL) { SCTP_LTRACE_ERR_RET(NULL, stcb, NULL, SCTP_FROM_SCTP_OUTPUT, ENOMEM); diff --git a/sys/netinet/sctp_output.h b/sys/netinet/sctp_output.h index 59af5af..8789df9 100644 --- a/sys/netinet/sctp_output.h +++ b/sys/netinet/sctp_output.h @@ -181,8 +181,8 @@ sctp_add_stream_reset_result_tsn(struct sctp_tmit_chunk *, uint32_t, uint32_t, uint32_t, uint32_t); int -sctp_send_str_reset_req(struct sctp_tcb *, int, uint16_t *, uint8_t, uint8_t, - uint8_t, uint8_t, uint16_t, uint16_t, uint8_t); +sctp_send_str_reset_req(struct sctp_tcb *, uint16_t, uint16_t *, uint8_t, + uint8_t, uint8_t, uint8_t, uint16_t, uint16_t, uint8_t); void sctp_send_abort(struct mbuf *, int, struct sockaddr *, struct sockaddr *, |