From ccc7fbdaadddfba6d1a7716d99dff978be5b137f Mon Sep 17 00:00:00 2001
From: tuexen <tuexen@FreeBSD.org>
Date: Wed, 6 Jun 2018 22:34:20 +0000
Subject: [PATCH] MFstable/11 334732:

Don't overflow a buffer if we receive an INIT or INIT-ACK chunk
without a RANDOM parameter but with a CHUNKS or HMAC-ALGO parameter.
Please note that sending this combination violates the specification.

Thanks to Ronald E. Crane for reporting the issue for the userland
stack.

Approved by:	re (gjb@)
---
 sys/netinet/sctp_auth.c | 2 ++
 sys/netinet/sctp_pcb.c  | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/sys/netinet/sctp_auth.c b/sys/netinet/sctp_auth.c
index 371d0113844..ad1f1efb502 100644
--- a/sys/netinet/sctp_auth.c
+++ b/sys/netinet/sctp_auth.c
@@ -1502,6 +1502,8 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m,
 		if (p_random != NULL) {
 			keylen = sizeof(*p_random) + random_len;
 			memcpy(new_key->key, p_random, keylen);
+		} else {
+			keylen = 0;
 		}
 		/* append in the AUTH chunks */
 		if (chunks != NULL) {
diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c
index 6669d1b0997..8c65cb4795e 100644
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@@ -6702,6 +6702,8 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m,
 		if (p_random != NULL) {
 			keylen = sizeof(*p_random) + random_len;
 			memcpy(new_key->key, p_random, keylen);
+		} else {
+			keylen = 0;
 		}
 		/* append in the AUTH chunks */
 		if (chunks != NULL) {
-- 
2.45.0