From patchwork Mon Jun 28 19:13:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marcelo Ricardo Leitner X-Patchwork-Id: 12348493 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CACA0C11F65 for ; Mon, 28 Jun 2021 19:13:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A8C3961C99 for ; Mon, 28 Jun 2021 19:13:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236139AbhF1TQW (ORCPT ); Mon, 28 Jun 2021 15:16:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43726 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233471AbhF1TQV (ORCPT ); Mon, 28 Jun 2021 15:16:21 -0400 Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 924F7C061766; Mon, 28 Jun 2021 12:13:55 -0700 (PDT) Received: by mail-pg1-x530.google.com with SMTP id e20so16321118pgg.0; Mon, 28 Jun 2021 12:13:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=uWW8HGuUDgrrnkGEzBraPNH597iMHRW9Pf/jY6NR5aE=; b=KV8DypDgZNdo432vlJYssN68WXSDKFleldfI1QydY1IiGO7JSKsqj4Lx7Xfn4cQdBq GsKLCMy2mMYFoPI+8ZmZ1gyhwTdb2gmxs6Gsc/3g5eSLxsoKrff2fhJWF8aqXtPnEjnR QXn0qdzbOdrS+RoUNKZ6LMfBGsGA+PF32FFJc1JY3DJ3SM1lFve9q6PZ8++cvGOHGVg3 RAyWl7XByqVPJMpK8hg4OwMF1JeMkshdtvE5PdV/yiS45975O81A5Ohuccl48nXq2FJo ZcPwMTaWSyMI3wZ0fXS3V3vBYZ/QV9TWzHC870XjTaQDV2B34hnJAwdwr/J3Z316nRFX fl5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=uWW8HGuUDgrrnkGEzBraPNH597iMHRW9Pf/jY6NR5aE=; b=EcOOvsfbw2m00F+8kM2GmZCDmq3NxLXVqEzcySKB/4yDPuXywIvS953rclRXqdUUny +4xE+JH2YuCmUfWvtBmYlKBV8ozmkaXeyd342sG+petyuHMiYu0v3x4XhuZzWRZpL3Ax wBjmuGzEyg+MFS4wKSYg6qmai8m2BhbtjAmWS73Itq9mvTccBjZ5I2oCRupY+9KfLGFd MoJnm8L/dcVIBoK6DWESk8fQoeVLdsI8+yUVikFFlQOPqkxyN6E7pMucJe+DDgis9Obh Z3KWcaE8oKfuJM6f8zVJvJcbvt++Lpbix8xMUdw1QjT58Z4wY5TnWwIX/o7VlAWo4cYl zPTg== X-Gm-Message-State: AOAM533Aitrgl5Dtj31YkYRlvQbpLAa3hKufS6/ZBwJZjUpgGzVwG71f 2TjaptgN8ph3zI6GSG0taQo= X-Google-Smtp-Source: ABdhPJxdQ3FEJ+0bJNktIq9UgxEewCQ8ohGzvCRQRMEU4ETWlR/lwP+jQzwb+dMkUGuXiowNIyQXsA== X-Received: by 2002:a65:614d:: with SMTP id o13mr24541353pgv.351.1624907635147; Mon, 28 Jun 2021 12:13:55 -0700 (PDT) Received: from horizon.localdomain ([2001:1284:f016:ff7f:d8af:5617:5a5c:1405]) by smtp.gmail.com with ESMTPSA id e29sm3096720pfm.0.2021.06.28.12.13.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 28 Jun 2021 12:13:54 -0700 (PDT) Received: by horizon.localdomain (Postfix, from userid 1000) id 31F52C13E8; Mon, 28 Jun 2021 16:13:52 -0300 (-03) From: Marcelo Ricardo Leitner To: netdev@vger.kernel.org Cc: linux-sctp@vger.kernel.org, Ilja Van Sprundel , Neil Horman , Vlad Yasevich , Xin Long Subject: [PATCH net 3/4] sctp: validate chunk size in __rcv_asconf_lookup Date: Mon, 28 Jun 2021 16:13:43 -0300 Message-Id: <136de038e69235a64a7331465951f0751d4d83bd.1624904195.git.marcelo.leitner@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org In one of the fallbacks that SCTP has for identifying an association for an incoming packet, it looks for AddIp chunk (from ASCONF) and take a peek. Thing is, at this stage nothing was validating that the chunk actually had enough content for that, allowing the peek to happen over uninitialized memory. Similar check already exists in actual asconf handling in sctp_verify_asconf(). Signed-off-by: Marcelo Ricardo Leitner --- net/sctp/input.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/sctp/input.c b/net/sctp/input.c index f72bff93745c44be0dbfa29e754f2872a7d874c2..96dea8097dbeb4e29d537292d31dde5f02188389 100644 --- a/net/sctp/input.c +++ b/net/sctp/input.c @@ -1168,6 +1168,9 @@ static struct sctp_association *__sctp_rcv_asconf_lookup( union sctp_addr_param *param; union sctp_addr paddr; + if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr)) + return NULL; + /* Skip over the ADDIP header and find the Address parameter */ param = (union sctp_addr_param *)(asconf + 1);