From patchwork Mon Jun 28 19:13:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marcelo Ricardo Leitner X-Patchwork-Id: 12348499 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66A93C11F64 for ; Mon, 28 Jun 2021 19:14:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4598A61C8E for ; Mon, 28 Jun 2021 19:14:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236201AbhF1TQ3 (ORCPT ); Mon, 28 Jun 2021 15:16:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43730 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236145AbhF1TQX (ORCPT ); Mon, 28 Jun 2021 15:16:23 -0400 Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 740BBC061766; Mon, 28 Jun 2021 12:13:56 -0700 (PDT) Received: by mail-pj1-x1031.google.com with SMTP id z3-20020a17090a3983b029016bc232e40bso727304pjb.4; Mon, 28 Jun 2021 12:13:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=PhjEy6KDHjr+YzGN1lUcO12o90YJy/EHuMByPs3R67g=; b=Gss8Bn9T6H2IKvKK9PdOONXrJdeGbOZssuiwtlESdXy6z26YCl5ZlN30LFhEYc9Ss9 IaS/4KZCIQUQ74+CoqgonCr3w96LJeoM68t7KwuGEoAn/ECf6Q4tKkYTJ2jg1nKuVGBg WJsTeGwPW/cL+a5reLibD3SHUSFe7LYvcVzBBasOlSUGsqr3UIpt8UQCmDyxhsK+7tlK LAR1VEE5cE0F/PAVIJJB3LK6dDMfa8KJVtrSNqnspG1CjLsgTJW7gyz6W5lyq061+WZh 9Ud3U3gkU11WBWggMjwMk0RoPyY+BUrcR+OmhkSCILs+SrcH/K6QqJeCZRxPRjIyuYAR 9UrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=PhjEy6KDHjr+YzGN1lUcO12o90YJy/EHuMByPs3R67g=; b=kJ2DMY1ZilgqVlkCuI9okJqYBVP9uVlY73/lJgseR0QmTFIKazKkVnOpsruwh6NRka Luvc1RPzIx1jM4iVKBwJrMgVioJxk51oSleCLgR22XE+LZisu4mncOOpzxjqDon+8erm +3jORW3JCpb92WtKSNk3e9WU/AFjDXc77tDgZY+TjxvkuN+rGRYtyZho2QGh7M7qKAvz 6wbZBMCZQFszKpWK2r5rDOZBiK61kbsF8pdmfykOVBzXQYY+nxaDhc5d+RIrOgscVx5G 5aPs9WbUoF9uQ9IzG+Tt3g/GJ8FNoxHkf0W8KGxO5qClF3LOWhn3LMmTLVjp8wkFqNxQ jvcQ== X-Gm-Message-State: AOAM533GOv00yaRw0L2LnTyt3mwnMgTyRuIVtB3zf6Sf4lh4e9H5oFL1 Lhutqs20Z4DWAUEg8DDpMoiIdUyezy9s7Q== X-Google-Smtp-Source: ABdhPJykCrtS7wuH+PMY4pPqB9bpNVaiRMPTXUysPz10+lPgiim5a6+4TYWEEC4a6vvVaduYBdTWDQ== X-Received: by 2002:a17:90b:384f:: with SMTP id nl15mr17935988pjb.88.1624907635931; Mon, 28 Jun 2021 12:13:55 -0700 (PDT) Received: from horizon.localdomain ([177.220.172.71]) by smtp.gmail.com with ESMTPSA id y66sm16091305pgb.4.2021.06.28.12.13.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 28 Jun 2021 12:13:54 -0700 (PDT) Received: by horizon.localdomain (Postfix, from userid 1000) id 2A513C0789; Mon, 28 Jun 2021 16:13:52 -0300 (-03) From: Marcelo Ricardo Leitner To: netdev@vger.kernel.org Cc: linux-sctp@vger.kernel.org, Ilja Van Sprundel , Neil Horman , Vlad Yasevich , Xin Long Subject: [PATCH net 1/4] sctp: validate from_addr_param return Date: Mon, 28 Jun 2021 16:13:41 -0300 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Ilja reported that, simply putting it, nothing was validating that from_addr_param functions were operating on initialized memory. That is, the parameter itself was being validated by sctp_walk_params, but it doesn't check for types and their specific sizes and it could be a 0-length one, causing from_addr_param to potentially work over the next parameter or even uninitialized memory. The fix here is to, in all calls to from_addr_param, check if enough space is there for the wanted IP address type. Reported-by: Ilja Van Sprundel Signed-off-by: Marcelo Ricardo Leitner --- include/net/sctp/structs.h | 2 +- net/sctp/bind_addr.c | 19 +++++++++++-------- net/sctp/input.c | 6 ++++-- net/sctp/ipv6.c | 7 ++++++- net/sctp/protocol.c | 7 ++++++- net/sctp/sm_make_chunk.c | 29 ++++++++++++++++------------- 6 files changed, 44 insertions(+), 26 deletions(-) diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h index 1aa585216f34b5fb8ed875cece1a8c22e43690d3..d49593c72a555600c06ad7159934fb17226cc452 100644 --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h @@ -461,7 +461,7 @@ struct sctp_af { int saddr); void (*from_sk) (union sctp_addr *, struct sock *sk); - void (*from_addr_param) (union sctp_addr *, + bool (*from_addr_param) (union sctp_addr *, union sctp_addr_param *, __be16 port, int iif); int (*to_addr_param) (const union sctp_addr *, diff --git a/net/sctp/bind_addr.c b/net/sctp/bind_addr.c index 53e5ed79f63f34f6d237b5d0683925fe9c49f4a9..59e653b528b1faec6c6fcf73f0dd42633880e08d 100644 --- a/net/sctp/bind_addr.c +++ b/net/sctp/bind_addr.c @@ -270,22 +270,19 @@ int sctp_raw_to_bind_addrs(struct sctp_bind_addr *bp, __u8 *raw_addr_list, rawaddr = (union sctp_addr_param *)raw_addr_list; af = sctp_get_af_specific(param_type2af(param->type)); - if (unlikely(!af)) { + if (unlikely(!af) || + !af->from_addr_param(&addr, rawaddr, htons(port), 0)) { retval = -EINVAL; - sctp_bind_addr_clean(bp); - break; + goto out_err; } - af->from_addr_param(&addr, rawaddr, htons(port), 0); if (sctp_bind_addr_state(bp, &addr) != -1) goto next; retval = sctp_add_bind_addr(bp, &addr, sizeof(addr), SCTP_ADDR_SRC, gfp); - if (retval) { + if (retval) /* Can't finish building the list, clean up. */ - sctp_bind_addr_clean(bp); - break; - } + goto out_err; next: len = ntohs(param->length); @@ -294,6 +291,12 @@ int sctp_raw_to_bind_addrs(struct sctp_bind_addr *bp, __u8 *raw_addr_list, } return retval; + +out_err: + if (retval) + sctp_bind_addr_clean(bp); + + return retval; } /******************************************************************** diff --git a/net/sctp/input.c b/net/sctp/input.c index d508f6f3dd08a33419c010d7944f9f70cacdd700..8924e2e142c8234dac233e56e923110e266c9834 100644 --- a/net/sctp/input.c +++ b/net/sctp/input.c @@ -1131,7 +1131,8 @@ static struct sctp_association *__sctp_rcv_init_lookup(struct net *net, if (!af) continue; - af->from_addr_param(paddr, params.addr, sh->source, 0); + if (!af->from_addr_param(paddr, params.addr, sh->source, 0)) + continue; asoc = __sctp_lookup_association(net, laddr, paddr, transportp); if (asoc) @@ -1174,7 +1175,8 @@ static struct sctp_association *__sctp_rcv_asconf_lookup( if (unlikely(!af)) return NULL; - af->from_addr_param(&paddr, param, peer_port, 0); + if (af->from_addr_param(&paddr, param, peer_port, 0)) + return NULL; return __sctp_lookup_association(net, laddr, &paddr, transportp); } diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index bd08807c9e44758b56cdf1cad94dda7184e14fb5..5c6f5ced9cfa631ba73c203478a28c07a27498d0 100644 --- a/net/sctp/ipv6.c +++ b/net/sctp/ipv6.c @@ -551,15 +551,20 @@ static void sctp_v6_to_sk_daddr(union sctp_addr *addr, struct sock *sk) } /* Initialize a sctp_addr from an address parameter. */ -static void sctp_v6_from_addr_param(union sctp_addr *addr, +static bool sctp_v6_from_addr_param(union sctp_addr *addr, union sctp_addr_param *param, __be16 port, int iif) { + if (ntohs(param->v6.param_hdr.length) < sizeof(struct sctp_ipv6addr_param)) + return false; + addr->v6.sin6_family = AF_INET6; addr->v6.sin6_port = port; addr->v6.sin6_flowinfo = 0; /* BUG */ addr->v6.sin6_addr = param->v6.addr; addr->v6.sin6_scope_id = iif; + + return true; } /* Initialize an address parameter from a sctp_addr and return the length diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c index 6f2bbfeec3a4c7e8386f70a470e83063204dc50e..25192b378e2ece85a0d5fe1a13b713fd5b331ca7 100644 --- a/net/sctp/protocol.c +++ b/net/sctp/protocol.c @@ -254,14 +254,19 @@ static void sctp_v4_to_sk_daddr(union sctp_addr *addr, struct sock *sk) } /* Initialize a sctp_addr from an address parameter. */ -static void sctp_v4_from_addr_param(union sctp_addr *addr, +static bool sctp_v4_from_addr_param(union sctp_addr *addr, union sctp_addr_param *param, __be16 port, int iif) { + if (ntohs(param->v4.param_hdr.length) < sizeof(struct sctp_ipv4addr_param)) + return false; + addr->v4.sin_family = AF_INET; addr->v4.sin_port = port; addr->v4.sin_addr.s_addr = param->v4.addr.s_addr; memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + + return true; } /* Initialize an address parameter from a sctp_addr and return the length diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index 5b44d228b6cacc720300d9f5951115a95a828163..f33a870b483da7123e2ddb4473b6200a1aca5ade 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c @@ -2346,11 +2346,13 @@ int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk, /* Process the initialization parameters. */ sctp_walk_params(param, peer_init, init_hdr.params) { - if (!src_match && (param.p->type == SCTP_PARAM_IPV4_ADDRESS || - param.p->type == SCTP_PARAM_IPV6_ADDRESS)) { + if (!src_match && + (param.p->type == SCTP_PARAM_IPV4_ADDRESS || + param.p->type == SCTP_PARAM_IPV6_ADDRESS)) { af = sctp_get_af_specific(param_type2af(param.p->type)); - af->from_addr_param(&addr, param.addr, - chunk->sctp_hdr->source, 0); + if (!af->from_addr_param(&addr, param.addr, + chunk->sctp_hdr->source, 0)) + continue; if (sctp_cmp_addr_exact(sctp_source(chunk), &addr)) src_match = 1; } @@ -2531,7 +2533,8 @@ static int sctp_process_param(struct sctp_association *asoc, break; do_addr_param: af = sctp_get_af_specific(param_type2af(param.p->type)); - af->from_addr_param(&addr, param.addr, htons(asoc->peer.port), 0); + if (!af->from_addr_param(&addr, param.addr, htons(asoc->peer.port), 0)) + break; scope = sctp_scope(peer_addr); if (sctp_in_scope(net, &addr, scope)) if (!sctp_assoc_add_peer(asoc, &addr, gfp, SCTP_UNCONFIRMED)) @@ -2632,15 +2635,13 @@ static int sctp_process_param(struct sctp_association *asoc, addr_param = param.v + sizeof(struct sctp_addip_param); af = sctp_get_af_specific(param_type2af(addr_param->p.type)); - if (af == NULL) + if (!af) break; - af->from_addr_param(&addr, addr_param, - htons(asoc->peer.port), 0); + if (!af->from_addr_param(&addr, addr_param, + htons(asoc->peer.port), 0)) + break; - /* if the address is invalid, we can't process it. - * XXX: see spec for what to do. - */ if (!af->addr_valid(&addr, NULL, NULL)) break; @@ -3054,7 +3055,8 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc, if (unlikely(!af)) return SCTP_ERROR_DNS_FAILED; - af->from_addr_param(&addr, addr_param, htons(asoc->peer.port), 0); + if (!af->from_addr_param(&addr, addr_param, htons(asoc->peer.port), 0)) + return SCTP_ERROR_DNS_FAILED; /* ADDIP 4.2.1 This parameter MUST NOT contain a broadcast * or multicast address. @@ -3331,7 +3333,8 @@ static void sctp_asconf_param_success(struct sctp_association *asoc, /* We have checked the packet before, so we do not check again. */ af = sctp_get_af_specific(param_type2af(addr_param->p.type)); - af->from_addr_param(&addr, addr_param, htons(bp->port), 0); + if (!af->from_addr_param(&addr, addr_param, htons(bp->port), 0)) + return; switch (asconf_param->param_hdr.type) { case SCTP_PARAM_ADD_IP: From patchwork Mon Jun 28 19:13:42 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marcelo Ricardo Leitner X-Patchwork-Id: 12348501 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DDC09C11F65 for ; Mon, 28 Jun 2021 19:14:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C567861C8C for ; Mon, 28 Jun 2021 19:14:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236235AbhF1TQa (ORCPT ); Mon, 28 Jun 2021 15:16:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43732 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236157AbhF1TQX (ORCPT ); Mon, 28 Jun 2021 15:16:23 -0400 Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E27BC061574; Mon, 28 Jun 2021 12:13:56 -0700 (PDT) Received: by mail-pg1-x530.google.com with SMTP id y17so4010915pgf.12; Mon, 28 Jun 2021 12:13:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=RAjeU+Y5XUPaM8GmdFRhS2j+LHxIZ0Syzo2LSB2N+GE=; b=E9gDax0X1YV0YTl7VPUUYqMA61gXcUE1y9WPJa2okracM+ESQfogKY4LvZpdct9Rjr pYHeKAagTaqr6fInYpBb794doBaeU3yH5k76uzu/WxUIZNw1e7OS9LCL0t7YcX3XYH3I muVVJDRBy15Bt79iXgsmsmiHosBSiUCp290LtcrL/qupKVSWYjG8QtNZ7HDPkiPI45no CXd9QHQxG4Bvnmvkt7GVwYEdo4aTeOQrPaKBtfyv4niS48NgO9HUVMyl/BSWFZzujoP+ HNg7Tg3TXJ2DtrBtV+oprLN2DG/22r5bRNGi/pe5I9c/YKMm/fRzd14YVpGBHDbdJYyB OZaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=RAjeU+Y5XUPaM8GmdFRhS2j+LHxIZ0Syzo2LSB2N+GE=; b=UpCg9553aJvPREAiy9HxCrF5ibnTbMMr9G+nZMjfsNwgjP1qLx+YliTwHjMz49v2qz N8qwZhxX2KQn5KpiMhNElAiVzKO5+12BVY50l9Y+PGv1Dmt0mTbABzQxB9tencUiJJXE TM+D2KJnPE8OPJ5HhDGYm0Uwijwh72+XL98Hs7QRmt5a7WnxDDRNSJoi6S3XYesg7VTF H6kgY35Rp2naV570VmtYLFVwUgLsWRc+8g2uAhQUrZnXLU8FJEsv5qU11dyPgNSd6L2s cxgnwVDERElKgrFNA6mYXLYBvYKa0VqD4cJcfyx6zOvMkpBGVnNO1N2hMJ5BUFDl9Ui6 88JQ== X-Gm-Message-State: AOAM532abXCPjtApGZoufUxFAdRDvpxSkJSgi8PDx+Om2JLOwvBlTavl 5KY75NyYeUNvE0uegxqsUCo= X-Google-Smtp-Source: ABdhPJw0RQD23WBcFluZFa6YPjMMRKUkBEPMJCyrh/uwkCTn1IXBVb79L022yfoQUV+aWTM/mTTabg== X-Received: by 2002:a62:8286:0:b029:2fc:812d:2e70 with SMTP id w128-20020a6282860000b02902fc812d2e70mr21915448pfd.24.1624907636121; Mon, 28 Jun 2021 12:13:56 -0700 (PDT) Received: from horizon.localdomain ([177.220.172.71]) by smtp.gmail.com with ESMTPSA id c14sm15226806pgv.86.2021.06.28.12.13.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 28 Jun 2021 12:13:54 -0700 (PDT) Received: by horizon.localdomain (Postfix, from userid 1000) id 2E148C13E5; Mon, 28 Jun 2021 16:13:52 -0300 (-03) From: Marcelo Ricardo Leitner To: netdev@vger.kernel.org Cc: linux-sctp@vger.kernel.org, Ilja Van Sprundel , Neil Horman , Vlad Yasevich , Xin Long Subject: [PATCH net 2/4] sctp: add size validation when walking chunks Date: Mon, 28 Jun 2021 16:13:42 -0300 Message-Id: <1f204ae1a2b2dfe6ea49fd9fdd583a4d02a70542.1624904195.git.marcelo.leitner@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org The first chunk in a packet is ensured to be present at the beginning of sctp_rcv(), as a packet needs to have at least 1 chunk. But the second one, may not be completely available and ch->length can be over uninitialized memory. Fix here is by only trying to walk on the next chunk if there is enough to hold at least the header, and then proceed with the ch->length validation that is already there. Reported-by: Ilja Van Sprundel Signed-off-by: Marcelo Ricardo Leitner --- net/sctp/input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/sctp/input.c b/net/sctp/input.c index 8924e2e142c8234dac233e56e923110e266c9834..f72bff93745c44be0dbfa29e754f2872a7d874c2 100644 --- a/net/sctp/input.c +++ b/net/sctp/input.c @@ -1247,7 +1247,7 @@ static struct sctp_association *__sctp_rcv_walk_lookup(struct net *net, ch = (struct sctp_chunkhdr *)ch_end; chunk_num++; - } while (ch_end < skb_tail_pointer(skb)); + } while (ch_end + sizeof(*ch) < skb_tail_pointer(skb)); return asoc; } From patchwork Mon Jun 28 19:13:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marcelo Ricardo Leitner X-Patchwork-Id: 12348493 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CACA0C11F65 for ; Mon, 28 Jun 2021 19:13:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A8C3961C99 for ; Mon, 28 Jun 2021 19:13:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236139AbhF1TQW (ORCPT ); Mon, 28 Jun 2021 15:16:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43726 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233471AbhF1TQV (ORCPT ); Mon, 28 Jun 2021 15:16:21 -0400 Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 924F7C061766; Mon, 28 Jun 2021 12:13:55 -0700 (PDT) Received: by mail-pg1-x530.google.com with SMTP id e20so16321118pgg.0; Mon, 28 Jun 2021 12:13:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=uWW8HGuUDgrrnkGEzBraPNH597iMHRW9Pf/jY6NR5aE=; b=KV8DypDgZNdo432vlJYssN68WXSDKFleldfI1QydY1IiGO7JSKsqj4Lx7Xfn4cQdBq GsKLCMy2mMYFoPI+8ZmZ1gyhwTdb2gmxs6Gsc/3g5eSLxsoKrff2fhJWF8aqXtPnEjnR QXn0qdzbOdrS+RoUNKZ6LMfBGsGA+PF32FFJc1JY3DJ3SM1lFve9q6PZ8++cvGOHGVg3 RAyWl7XByqVPJMpK8hg4OwMF1JeMkshdtvE5PdV/yiS45975O81A5Ohuccl48nXq2FJo ZcPwMTaWSyMI3wZ0fXS3V3vBYZ/QV9TWzHC870XjTaQDV2B34hnJAwdwr/J3Z316nRFX fl5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=uWW8HGuUDgrrnkGEzBraPNH597iMHRW9Pf/jY6NR5aE=; b=EcOOvsfbw2m00F+8kM2GmZCDmq3NxLXVqEzcySKB/4yDPuXywIvS953rclRXqdUUny +4xE+JH2YuCmUfWvtBmYlKBV8ozmkaXeyd342sG+petyuHMiYu0v3x4XhuZzWRZpL3Ax wBjmuGzEyg+MFS4wKSYg6qmai8m2BhbtjAmWS73Itq9mvTccBjZ5I2oCRupY+9KfLGFd MoJnm8L/dcVIBoK6DWESk8fQoeVLdsI8+yUVikFFlQOPqkxyN6E7pMucJe+DDgis9Obh Z3KWcaE8oKfuJM6f8zVJvJcbvt++Lpbix8xMUdw1QjT58Z4wY5TnWwIX/o7VlAWo4cYl zPTg== X-Gm-Message-State: AOAM533Aitrgl5Dtj31YkYRlvQbpLAa3hKufS6/ZBwJZjUpgGzVwG71f 2TjaptgN8ph3zI6GSG0taQo= X-Google-Smtp-Source: ABdhPJxdQ3FEJ+0bJNktIq9UgxEewCQ8ohGzvCRQRMEU4ETWlR/lwP+jQzwb+dMkUGuXiowNIyQXsA== X-Received: by 2002:a65:614d:: with SMTP id o13mr24541353pgv.351.1624907635147; Mon, 28 Jun 2021 12:13:55 -0700 (PDT) Received: from horizon.localdomain ([2001:1284:f016:ff7f:d8af:5617:5a5c:1405]) by smtp.gmail.com with ESMTPSA id e29sm3096720pfm.0.2021.06.28.12.13.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 28 Jun 2021 12:13:54 -0700 (PDT) Received: by horizon.localdomain (Postfix, from userid 1000) id 31F52C13E8; Mon, 28 Jun 2021 16:13:52 -0300 (-03) From: Marcelo Ricardo Leitner To: netdev@vger.kernel.org Cc: linux-sctp@vger.kernel.org, Ilja Van Sprundel , Neil Horman , Vlad Yasevich , Xin Long Subject: [PATCH net 3/4] sctp: validate chunk size in __rcv_asconf_lookup Date: Mon, 28 Jun 2021 16:13:43 -0300 Message-Id: <136de038e69235a64a7331465951f0751d4d83bd.1624904195.git.marcelo.leitner@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org In one of the fallbacks that SCTP has for identifying an association for an incoming packet, it looks for AddIp chunk (from ASCONF) and take a peek. Thing is, at this stage nothing was validating that the chunk actually had enough content for that, allowing the peek to happen over uninitialized memory. Similar check already exists in actual asconf handling in sctp_verify_asconf(). Signed-off-by: Marcelo Ricardo Leitner --- net/sctp/input.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/sctp/input.c b/net/sctp/input.c index f72bff93745c44be0dbfa29e754f2872a7d874c2..96dea8097dbeb4e29d537292d31dde5f02188389 100644 --- a/net/sctp/input.c +++ b/net/sctp/input.c @@ -1168,6 +1168,9 @@ static struct sctp_association *__sctp_rcv_asconf_lookup( union sctp_addr_param *param; union sctp_addr paddr; + if (ntohs(ch->length) < sizeof(*asconf) + sizeof(struct sctp_paramhdr)) + return NULL; + /* Skip over the ADDIP header and find the Address parameter */ param = (union sctp_addr_param *)(asconf + 1); From patchwork Mon Jun 28 19:13:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marcelo Ricardo Leitner X-Patchwork-Id: 12348497 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 139DCC11F65 for ; Mon, 28 Jun 2021 19:14:03 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EDEB161C94 for ; Mon, 28 Jun 2021 19:14:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236188AbhF1TQ2 (ORCPT ); Mon, 28 Jun 2021 15:16:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43724 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235278AbhF1TQW (ORCPT ); Mon, 28 Jun 2021 15:16:22 -0400 Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 57C63C061760; Mon, 28 Jun 2021 12:13:55 -0700 (PDT) Received: by mail-pg1-x52e.google.com with SMTP id v7so16307190pgl.2; Mon, 28 Jun 2021 12:13:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=BCs+o6gnuZtfNOzQ4frdEyd2QHilOo8Pj6iWOjokB3s=; b=BplzLOLNxYA00SkMeaix/bUXKP0Kf0s4DsFQ6TD9ikLPsurY14W4kuDuOiwfqjYl5s k39d9S9aZ1KdXAbguHNeCzzET8EnW0DopvD9I7vVL6/KPQVYmXKKFT88WD295SD1tj5V pmyp1IR/C4IEUlaOmOGzQFwNCgjDE+hazP/637Lb+uZ4PmlXtKxaBlT14DsHva+tuirB QVPu+JdfMBK6H+66pxfKCvVthb9mHgxQDt2niAmTxgatLyaSuGjfP9sadw+KDQWbVPoA aq2bfQuIkeyV0/lLCsqyEq2phZEPWnq++J+jxqxx/vanexoW+LF/+X8Zz8pyM1Fkh138 D4VQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BCs+o6gnuZtfNOzQ4frdEyd2QHilOo8Pj6iWOjokB3s=; b=IyXiFHikLwkI1rms5MIBOvSbcf7yvA/8eAsJ+ZEvAe2QsHke/cENOpXGJcEoh/Q1ZL CELNreHOOWDnH1rHE2x7boERy8AbGLghT3v9RhNcjJ7aPcYUTAmeCHI7yPzX2BKRYpSP hXrNXoiXBx4NVsZVF/zTzQwpcEIJAs/s+zDgRodPIdZ5ujzezU8w5QYY4/ng7VKF2zTG sZtsBKZXA0JmT0i//ALK6mkI55q2BY+6X6gwdZ5gOpsTBoON8A6YjzPVeHAafoEQSsOC RUGflO0KHmN8LfotbUc5xKbrvt8F0JAwCojigWRoVPrxYM2P2ztDdVcoRCjFCzYs2ejl c9Vg== X-Gm-Message-State: AOAM5308b2POZc/If1kRDGF9QC7LkpK23mN7Z1eFmpRkdX8ALAQq9S19 OueERWy0bwjzaonE0Y24Yg8= X-Google-Smtp-Source: ABdhPJyiKFIdr3hbu7dZXAZ4/QDE46GPyiYAXPA58rfCzU2ZMzC8su6No4EYhe1C7WLFw2ebhI8sVQ== X-Received: by 2002:a05:6a00:168a:b029:2fb:6bb0:aba with SMTP id k10-20020a056a00168ab02902fb6bb00abamr26557996pfc.32.1624907634902; Mon, 28 Jun 2021 12:13:54 -0700 (PDT) Received: from horizon.localdomain ([177.220.172.71]) by smtp.gmail.com with ESMTPSA id g123sm10203999pfb.187.2021.06.28.12.13.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 28 Jun 2021 12:13:54 -0700 (PDT) Received: by horizon.localdomain (Postfix, from userid 1000) id 3604DC13E9; Mon, 28 Jun 2021 16:13:52 -0300 (-03) From: Marcelo Ricardo Leitner To: netdev@vger.kernel.org Cc: linux-sctp@vger.kernel.org, Ilja Van Sprundel , Neil Horman , Vlad Yasevich , Xin Long Subject: [PATCH net 4/4] sctp: add param size validation for SCTP_PARAM_SET_PRIMARY Date: Mon, 28 Jun 2021 16:13:44 -0300 Message-Id: X-Mailer: git-send-email 2.31.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org When SCTP handles an INIT chunk, it calls for example: sctp_sf_do_5_1B_init sctp_verify_init sctp_verify_param sctp_process_init sctp_process_param handling of SCTP_PARAM_SET_PRIMARY sctp_verify_init() wasn't doing proper size validation and neither the later handling, allowing it to work over the chunk itself, possibly being uninitialized memory. Signed-off-by: Marcelo Ricardo Leitner --- net/sctp/sm_make_chunk.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index f33a870b483da7123e2ddb4473b6200a1aca5ade..587fb3cb88e29f53148cd21f13a2a86487ce292b 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c @@ -2166,9 +2166,16 @@ static enum sctp_ierror sctp_verify_param(struct net *net, break; case SCTP_PARAM_SET_PRIMARY: - if (ep->asconf_enable) - break; - goto unhandled; + if (!ep->asconf_enable) + goto unhandled; + + if (ntohs(param.p->length) < sizeof(struct sctp_addip_param) + + sizeof(struct sctp_paramhdr)) { + sctp_process_inv_paramlength(asoc, param.p, + chunk, err_chunk); + retval = SCTP_IERROR_ABORT; + } + break; case SCTP_PARAM_HOST_NAME_ADDRESS: /* Tell the peer, we won't support this param. */