diff options
| author | Mirko Bonadei <mbonadei@chromium.org> | 2020-03-16 05:40:55 +0000 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-03-24 08:38:16 +0000 |
| commit | 6c9be50c2d901e66119679155fb3c7c9200448d1 (patch) | |
| tree | 3d54ece47ea49cabe95bf09fad9f28e060785bb8 | |
| parent | 9aabebeb69be9c62ded34e81217f648b0fa1c7d2 (diff) | |
| download | qtwebengine-chromium-6c9be50c2d901e66119679155fb3c7c9200448d1.tar.gz | |
Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/2093604
https://chromium-review.googlesource.com/c/chromium/src/+/2104774
[Merge M80 minibranch] - Point usrsctp to a68325e7d9ed844cc84ec134192d788586ea6cc1.
(cherry picked from commit 3030db702eee4f24e74e84b66024bd0875fd5418)
Bug: 1059349
Change-Id: Ib13d240407297ee508865fdfc38425377a9d064b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rwxr-xr-x | chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_auth.c | 5 | ||||
| -rwxr-xr-x | chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c | 7 |
2 files changed, 8 insertions, 4 deletions
diff --git a/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_auth.c b/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_auth.c index 5e5813b3f17..bc645b36d90 100755 --- a/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_auth.c +++ b/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_auth.c @@ -34,7 +34,7 @@ #ifdef __FreeBSD__ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.c 334532 2018-06-02 16:28:10Z tuexen $"); +__FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.c 355931 2019-12-20 15:25:08Z tuexen $"); #endif #include <netinet/sctp_os.h> @@ -1455,7 +1455,8 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m, ptype = ntohs(phdr->param_type); plen = ntohs(phdr->param_length); - if ((plen == 0) || (offset + plen > length)) + if ((plen < sizeof(struct sctp_paramhdr)) || + (offset + plen > length)) break; if (ptype == SCTP_RANDOM) { diff --git a/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c b/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c index 6efcbab91e8..355686fb904 100755 --- a/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c +++ b/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c @@ -34,7 +34,7 @@ #ifdef __FreeBSD__ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: head/sys/netinet/sctp_pcb.c 334532 2018-06-02 16:28:10Z tuexen $"); +__FBSDID("$FreeBSD: head/sys/netinet/sctp_pcb.c 355931 2019-12-20 15:25:08Z tuexen $"); #endif #include <netinet/sctp_os.h> @@ -7246,7 +7246,7 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m, if (offset + plen > limit) { break; } - if (plen == 0) { + if (plen < sizeof(struct sctp_paramhdr)) { break; } #ifdef INET @@ -7462,6 +7462,9 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m, if (plen > sizeof(lstore)) { return (-23); } + if (plen < sizeof(struct sctp_asconf_addrv4_param)) { + return (-101); + } phdr = sctp_get_next_param(m, offset, (struct sctp_paramhdr *)&lstore, plen); |