diff mbox series

[net] sctp: account stream padding length for reconf chunk

Message ID b97c1f8b0c7ff79ac4ed206fc2c49d3612e0850c.1634156849.git.mleitner@redhat.com (mailing list archive)
State Accepted
Commit a2d859e3fc97e79d907761550dbc03ff1b36479c
Delegated to: Netdev Maintainers
Headers show
Series [net] sctp: account stream padding length for reconf chunk | expand

Checks

Context Check Description
netdev/cover_letter success Single patches do not need cover letters
netdev/fixes_present success Fixes tag present in non-next series
netdev/patch_count success Link
netdev/tree_selection success Clearly marked for net
netdev/subject_prefix success Link
netdev/cc_maintainers warning 1 maintainers not CCed: linux-sctp@vger.kernel.org
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/module_param success Was 0 now: 0
netdev/build_32bit success Errors and warnings before: 2 this patch: 2
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Fixes tag looks correct
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/build_allmodconfig_warn success Errors and warnings before: 2 this patch: 2
netdev/header_inline success No static functions without inline keyword in header files

Commit Message

Marcelo Ricardo Leitner Oct. 13, 2021, 8:27 p.m. UTC 
From: Eiichi Tsukata <eiichi.tsukata@nutanix.com>

sctp_make_strreset_req() makes repeated calls to sctp_addto_chunk()
which will automatically account for padding on each call. inreq and
outreq are already 4 bytes aligned, but the payload is not and doing
SCTP_PAD4(a + b) (which _sctp_make_chunk() did implicitly here) is
different from SCTP_PAD4(a) + SCTP_PAD4(b) and not enough. It led to
possible attempt to use more buffer than it was allocated and triggered
a BUG_ON.

Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: linux-sctp@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Greg KH <gregkh@linuxfoundation.org>
Fixes: cc16f00f6529 ("sctp: add support for generating stream reconf ssn reset request chunk")
Reported-by: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
Signed-off-by: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
---
 net/sctp/sm_make_chunk.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Xin Long Oct. 14, 2021, 4:38 a.m. UTC | #1 
On Thu, Oct 14, 2021 at 4:27 AM Marcelo Ricardo Leitner
<marcelo.leitner@gmail.com> wrote:
>
> From: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
>
> sctp_make_strreset_req() makes repeated calls to sctp_addto_chunk()
> which will automatically account for padding on each call. inreq and
> outreq are already 4 bytes aligned, but the payload is not and doing
> SCTP_PAD4(a + b) (which _sctp_make_chunk() did implicitly here) is
> different from SCTP_PAD4(a) + SCTP_PAD4(b) and not enough. It led to
> possible attempt to use more buffer than it was allocated and triggered
> a BUG_ON.
>
> Cc: Vlad Yasevich <vyasevich@gmail.com>
> Cc: Neil Horman <nhorman@tuxdriver.com>
> Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: linux-sctp@vger.kernel.org
> Cc: netdev@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Cc: Greg KH <gregkh@linuxfoundation.org>
> Fixes: cc16f00f6529 ("sctp: add support for generating stream reconf ssn reset request chunk")
> Reported-by: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
> Signed-off-by: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
> ---
>  net/sctp/sm_make_chunk.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index b8fa8f1a7277..c7503fd64915 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -3697,7 +3697,7 @@ struct sctp_chunk *sctp_make_strreset_req(
>         outlen = (sizeof(outreq) + stream_len) * out;
>         inlen = (sizeof(inreq) + stream_len) * in;
>
> -       retval = sctp_make_reconf(asoc, outlen + inlen);
> +       retval = sctp_make_reconf(asoc, SCTP_PAD4(outlen) + SCTP_PAD4(inlen));
>         if (!retval)
>                 return NULL;
>
> --
> 2.31.1
>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
patchwork-bot+netdevbpf@kernel.org Oct. 14, 2021, 2:30 p.m. UTC | #2 
Hello:

This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 13 Oct 2021 17:27:29 -0300 you wrote:
> From: Eiichi Tsukata <eiichi.tsukata@nutanix.com>
> 
> sctp_make_strreset_req() makes repeated calls to sctp_addto_chunk()
> which will automatically account for padding on each call. inreq and
> outreq are already 4 bytes aligned, but the payload is not and doing
> SCTP_PAD4(a + b) (which _sctp_make_chunk() did implicitly here) is
> different from SCTP_PAD4(a) + SCTP_PAD4(b) and not enough. It led to
> possible attempt to use more buffer than it was allocated and triggered
> a BUG_ON.
> 
> [...]

Here is the summary with links:
  - [net] sctp: account stream padding length for reconf chunk
    https://git.kernel.org/netdev/net/c/a2d859e3fc97

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
diff mbox series

Patch

diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index b8fa8f1a7277..c7503fd64915 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -3697,7 +3697,7 @@  struct sctp_chunk *sctp_make_strreset_req(
 	outlen = (sizeof(outreq) + stream_len) * out;
 	inlen = (sizeof(inreq) + stream_len) * in;
 
-	retval = sctp_make_reconf(asoc, outlen + inlen);
+	retval = sctp_make_reconf(asoc, SCTP_PAD4(outlen) + SCTP_PAD4(inlen));
 	if (!retval)
 		return NULL;