Skip to content

Commit cb2248e

Browse files
zcbenzzcbenz
authored
chore: cherry-pick e89fe66d0473 from Chromium (electron#23515)
1 parent 7fc14a8 commit cb2248e

File tree

3 files changed

+61
-1
lines changed

3 files changed

+61
-1
lines changed

patches/config.json

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,5 +15,7 @@
1515

1616
"src/electron/patches/node": "src/third_party/electron_node",
1717

18-
"src/electron/patches/webrtc": "src/third_party/webrtc"
18+
"src/electron/patches/webrtc": "src/third_party/webrtc",
19+
20+
"src/electron/patches/usrsctp": "src/third_party/usrsctp/usrsctplib"
1921
}

patches/usrsctp/.patches

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
cherry-pick-e89fe66d0473.patch

patches/usrsctp/cherry-pick-e89fe66d0473.patch

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2+
From: Michael Tuexen <tuexen@fh-muenster.de>
3+
Date: Fri, 10 Apr 2020 00:43:45 +0000
4+
Subject: Improve input validation when processing AUTH chunks
5+
6+
Cherry picked from:
7+
https://chromium.googlesource.com/external/github.com/sctplab/usrsctp/+/b218e8957d7af0b07ee3ca74caded05ada8d1df9
8+
https://chromium.googlesource.com/external/github.com/sctplab/usrsctp/+/e89fe66d04735dcfc6bfda1648fbe68008da6277
9+
10+
Bug: 1073602
11+
12+
diff --git a/usrsctplib/netinet/sctp_input.c b/usrsctplib/netinet/sctp_input.c
13+
index c62bb8506dc0fb86112f35e0b66d08c198e8f9bd..4e53dfb27ec597a8f6ac99c329bc80b9d7306836 100755
14+
--- a/usrsctplib/netinet/sctp_input.c
15+
+++ b/usrsctplib/netinet/sctp_input.c
16+
@@ -2178,7 +2178,7 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
17+
int init_offset, initack_offset, initack_limit;
18+
int retval;
19+
int error = 0;
20+
- uint8_t auth_chunk_buf[SCTP_PARAM_BUFFER_SIZE];
21+
+ uint8_t auth_chunk_buf[SCTP_CHUNK_BUFFER_SIZE];
22+
#if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
23+
struct socket *so;
24+
25+
@@ -2373,8 +2373,11 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
26+
if (auth_skipped) {
27+
struct sctp_auth_chunk *auth;
28+
29+
- auth = (struct sctp_auth_chunk *)
30+
- sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf);
31+
+ if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) {
32+
+ auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, auth_chunk_buf);
33+
+ } else {
34+
+ auth = NULL;
35+
+ }
36+
if ((auth == NULL) || sctp_handle_auth(stcb, auth, m, auth_offset)) {
37+
/* auth HMAC failed, dump the assoc and packet */
38+
SCTPDBG(SCTP_DEBUG_AUTH1,
39+
@@ -4846,11 +4849,13 @@ sctp_process_control(struct mbuf *m, int iphlen, int *offset, int length,
40+
if (auth_skipped && (stcb != NULL)) {
41+
struct sctp_auth_chunk *auth;
42+
43+
- auth = (struct sctp_auth_chunk *)
44+
- sctp_m_getptr(m, auth_offset,
45+
- auth_len, chunk_buf);
46+
- got_auth = 1;
47+
- auth_skipped = 0;
48+
+ if (auth_len <= SCTP_CHUNK_BUFFER_SIZE) {
49+
+ auth = (struct sctp_auth_chunk *)sctp_m_getptr(m, auth_offset, auth_len, chunk_buf);
50+
+ got_auth = 1;
51+
+ auth_skipped = 0;
52+
+ } else {
53+
+ auth = NULL;
54+
+ }
55+
if ((auth == NULL) || sctp_handle_auth(stcb, auth, m,
56+
auth_offset)) {
57+
/* auth HMAC failed so dump it */

0 commit comments

Comments
 (0)