From 13500cbb61cc2984494d78633b311ecc2dec4e1c Mon Sep 17 00:00:00 2001
From: Michael Tuexen <tuexen@FreeBSD.org>
Date: Sat, 2 Jun 2018 16:28:10 +0000
Subject: [PATCH] Don't overflow a buffer if we receive an INIT or INIT-ACK
 chunk without a RANDOM parameter but with a CHUNKS or HMAC-ALGO parameter.
 Please note that sending this combination violates the specification.

Thnanks to Ronald E. Crane for reporting the issue for the userland
stack.

MFC after:	3 days
---
 sys/netinet/sctp_auth.c | 2 ++
 sys/netinet/sctp_pcb.c  | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/sys/netinet/sctp_auth.c b/sys/netinet/sctp_auth.c
index 9ba52c94d72..c562bb7e17b 100644
--- a/sys/netinet/sctp_auth.c
+++ b/sys/netinet/sctp_auth.c
@@ -1504,6 +1504,8 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m,
 		if (p_random != NULL) {
 			keylen = sizeof(*p_random) + random_len;
 			memcpy(new_key->key, p_random, keylen);
+		} else {
+			keylen = 0;
 		}
 		/* append in the AUTH chunks */
 		if (chunks != NULL) {
diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c
index b13f2c98071..efe31a4f53b 100644
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@@ -6704,6 +6704,8 @@ next_param:
 		if (p_random != NULL) {
 			keylen = sizeof(*p_random) + random_len;
 			memcpy(new_key->key, p_random, keylen);
+		} else {
+			keylen = 0;
 		}
 		/* append in the AUTH chunks */
 		if (chunks != NULL) {