From 6c9be50c2d901e66119679155fb3c7c9200448d1 Mon Sep 17 00:00:00 2001
From: Mirko Bonadei <mbonadei@chromium.org>
Date: Mon, 16 Mar 2020 05:40:55 +0000
Subject: [Backport] CVE-2019-20503: Out of bounds read in usersctplib

Manual backport of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/2093604
https://chromium-review.googlesource.com/c/chromium/src/+/2104774
[Merge M80 minibranch] - Point usrsctp to a68325e7d9ed844cc84ec134192d788586ea6cc1.

(cherry picked from commit 3030db702eee4f24e74e84b66024bd0875fd5418)

Bug: 1059349
Change-Id: Ib13d240407297ee508865fdfc38425377a9d064b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 .../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_auth.c  | 5 +++--
 .../third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c   | 7 +++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_auth.c b/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_auth.c
index 5e5813b3f17..bc645b36d90 100755
--- a/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_auth.c
+++ b/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_auth.c
@@ -34,7 +34,7 @@
 
 #ifdef __FreeBSD__
 #include <sys/cdefs.h>
-__FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.c 334532 2018-06-02 16:28:10Z tuexen $");
+__FBSDID("$FreeBSD: head/sys/netinet/sctp_auth.c 355931 2019-12-20 15:25:08Z tuexen $");
 #endif
 
 #include <netinet/sctp_os.h>
@@ -1455,7 +1455,8 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m,
 		ptype = ntohs(phdr->param_type);
 		plen = ntohs(phdr->param_length);
 
-		if ((plen == 0) || (offset + plen > length))
+		if ((plen < sizeof(struct sctp_paramhdr)) ||
+		    (offset + plen > length))
 			break;
 
 		if (ptype == SCTP_RANDOM) {
diff --git a/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c b/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c
index 6efcbab91e8..355686fb904 100755
--- a/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c
+++ b/chromium/third_party/usrsctp/usrsctplib/usrsctplib/netinet/sctp_pcb.c
@@ -34,7 +34,7 @@
 
 #ifdef __FreeBSD__
 #include <sys/cdefs.h>
-__FBSDID("$FreeBSD: head/sys/netinet/sctp_pcb.c 334532 2018-06-02 16:28:10Z tuexen $");
+__FBSDID("$FreeBSD: head/sys/netinet/sctp_pcb.c 355931 2019-12-20 15:25:08Z tuexen $");
 #endif
 
 #include <netinet/sctp_os.h>
@@ -7246,7 +7246,7 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m,
 		if (offset + plen > limit) {
 			break;
 		}
-		if (plen == 0) {
+		if (plen < sizeof(struct sctp_paramhdr)) {
 			break;
 		}
 #ifdef INET
@@ -7462,6 +7462,9 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m,
 			if (plen > sizeof(lstore)) {
 				return (-23);
 			}
+			if (plen < sizeof(struct sctp_asconf_addrv4_param)) {
+				return (-101);
+			}
 			phdr = sctp_get_next_param(m, offset,
 						   (struct sctp_paramhdr *)&lstore,
 						   plen);
-- 
cgit v1.2.1