[src/trunk]: src/sys/netinet Check outgoing cookie size before accessing any ...

[rjs <rjs%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/6c5feef3ccfc
branches:  trunk
changeset: 354743:6c5feef3ccfc
user:      rjs <rjs%NetBSD.org@localhost>
date:      Tue Jun 27 13:27:54 2017 +0000

description:
Check outgoing cookie size before accessing any contents.

Spotted in FreeBSD by maya.

diffstat:

 sys/netinet/sctp_input.c |  31 ++++++++++++++++---------------
 1 files changed, 16 insertions(+), 15 deletions(-)

diffs (60 lines):

diff -r 143ba289d0e0 -r 6c5feef3ccfc sys/netinet/sctp_input.c
--- a/sys/netinet/sctp_input.c  Tue Jun 27 12:43:44 2017 +0000
+++ b/sys/netinet/sctp_input.c  Tue Jun 27 13:27:54 2017 +0000
@@ -1,5 +1,5 @@
 /*     $KAME: sctp_input.c,v 1.28 2005/04/21 18:36:21 nishida Exp $    */
-/*     $NetBSD: sctp_input.c,v 1.6 2017/06/23 15:13:21 rjs Exp $       */
+/*     $NetBSD: sctp_input.c,v 1.7 2017/06/27 13:27:54 rjs Exp $       */
 
 /*
  * Copyright (C) 2002, 2003, 2004 Cisco Systems Inc,
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sctp_input.c,v 1.6 2017/06/23 15:13:21 rjs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sctp_input.c,v 1.7 2017/06/27 13:27:54 rjs Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ipsec.h"
@@ -1729,19 +1729,6 @@
        cookie_offset = offset + sizeof(struct sctp_chunkhdr);
        cookie_len = ntohs(cp->ch.chunk_length);
 
-       if ((cookie->peerport != sh->src_port) &&
-           (cookie->myport != sh->dest_port) &&
-           (cookie->my_vtag != sh->v_tag)) {
-               /*
-                * invalid ports or bad tag.  Note that we always leave
-                * the v_tag in the header in network order and when we
-                * stored it in the my_vtag slot we also left it in network
-                * order. This maintians the match even though it may be in
-                * the opposite byte order of the machine :->
-                */
-               return (NULL);
-       }
-
        /* compute size of packet */
        if (m->m_flags & M_PKTHDR) {
                size_of_pkt = m->m_pkthdr.len;
@@ -1767,6 +1754,20 @@
 #endif /* SCTP_DEBUG */
                return (NULL);
        }
+
+       if ((cookie->peerport != sh->src_port) &&
+           (cookie->myport != sh->dest_port) &&
+           (cookie->my_vtag != sh->v_tag)) {
+               /*
+                * invalid ports or bad tag.  Note that we always leave
+                * the v_tag in the header in network order and when we
+                * stored it in the my_vtag slot we also left it in network
+                * order. This maintians the match even though it may be in
+                * the opposite byte order of the machine :->
+                */
+               return (NULL);
+       }
+
        /*
         * split off the signature into its own mbuf (since it
         * should not be calculated in the sctp_hash_digest_m() call).