dcsctp: Avoid infinite loops on zero-length chunks
Every chunk should be at least 4 bytes to be valid - that's the size of
the chunk header. If the embedded length was zero (0), iterating over
the chunks would never complete. Fixed now.
Bug: webrtc:12614
Change-Id: I1cbd070ad34a51584f6b09c5364c3db1b2bcdc2e
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/214483
Reviewed-by: Tommi <tommi@webrtc.org>
Commit-Queue: Victor Boivie <boivie@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#33658}
diff --git a/net/dcsctp/packet/sctp_packet.cc b/net/dcsctp/packet/sctp_packet.cc
index 53f77ef..1e12367 100644
--- a/net/dcsctp/packet/sctp_packet.cc
+++ b/net/dcsctp/packet/sctp_packet.cc
@@ -145,6 +145,9 @@
RTC_DLOG(LS_WARNING) << "Too large chunk. length=" << length
<< ", remaining=" << descriptor_data.size();
return absl::nullopt;
+ } else if (padded_length < kChunkTlvHeaderSize) {
+ RTC_DLOG(LS_WARNING) << "Too small chunk. length=" << length;
+ return absl::nullopt;
}
descriptors.emplace_back(type, flags,
descriptor_data.subview(0, padded_length));
diff --git a/net/dcsctp/packet/sctp_packet_test.cc b/net/dcsctp/packet/sctp_packet_test.cc
index ad4d0cc..ece1b7b 100644
--- a/net/dcsctp/packet/sctp_packet_test.cc
+++ b/net/dcsctp/packet/sctp_packet_test.cc
@@ -292,5 +292,11 @@
EXPECT_EQ(cause.upper_layer_abort_reason(), "");
}
+TEST(SctpPacketTest, DetectPacketWithZeroSizeChunk) {
+ uint8_t data[] = {0xff, 0xff, 0xff, 0xff, 0xff, 0x0a, 0x0a, 0x0a, 0x5c,
+ 0x0a, 0x0a, 0x0a, 0x0a, 0x0a, 0x00, 0x00, 0x00};
+
+ EXPECT_FALSE(SctpPacket::Parse(data, true).has_value());
+}
} // namespace
} // namespace dcsctp
