Received: by 10.192.165.148 with SMTP id m20csp1151203imm;
        Wed, 2 May 2018 15:14:55 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZrYG57BvRqh/d1boePQTsEL4hnqEEueZjONH+9ft2vZTt3tBxZDQ18rnsulcSWiOX3OPcV+
X-Received: by 2002:a63:7514:: with SMTP id q20-v6mr17217906pgc.88.1525299295190;
        Wed, 02 May 2018 15:14:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525299295; cv=none;
        d=google.com; s=arc-20160816;
        b=uQra9QG81T1vz2dXLmfNEgDtD9X0t9zlWS1rlU/91YEPqJC0RcBRdxwervghx6SJOv
         55OjqeybpC5hzpUAxyfAGSrko98ydBCrcUgkZPVnYd/P/4hUQqJ/K2ksLmEZIASPcIKn
         3qcyUq9X5WJwwYq37euwjdLrSb5n0IBjCn12c0N02ARmXJgUE6NiY/mL/TX28XjDbzcA
         QgB7ykqqkfkOh+q265oawmjmCNhhfC0SpQ63WyHKH8N5TrrfJZTWpxNWXxE67FbMTR2T
         retf+fq3FdMfScWrOKsibCkPw07rJ+SNnkHmRDdlHJopiaMTxwGSkk/EOoqUaMIwAWLY
         t+lg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature:arc-authentication-results;
        bh=txgX3ax3CfQaIyoMYFKmx3DUqo1PnWsRhb8peeLrnDQ=;
        b=Uanhvld1p5BhHP+41CV3roiYEjxmD3fpVdETv9fzcJ3rfyuglb22CAOgjbEdo/c7Zo
         +jPDYkDflV3Fon/KMH+WyUmLqXWaMT7SmRIBhnDxRq0hVtLOVUtJQAwE9AgWwd2Ds1UH
         jl2M+5AJ+Q5kL2P0pY5xltCk5KFccbG20zWyReG3qzfRXGWwAStWvZ7imp0RyqiCnuBP
         lDLLjb48ftseRRd3QyvLjMMamabVS/yWglpy0Cr7ZD21kD6w0pJtU+dbsf2+WwUT9AU5
         fRdDl6Vtqh4vaDlQXZhLoI32AS0aJmcX48x97eQbNRArifTsM1fWsnUhVE9Vajb0Ak1g
         rWsA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@umn.edu header.s=google header.b=Kyva7yan;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t14si10142505pfh.101.2018.05.02.15.14.41;
        Wed, 02 May 2018 15:14:55 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@umn.edu header.s=google header.b=Kyva7yan;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751694AbeEBWNH (ORCPT <rfc822;rajatbajpailinux@gmail.com>
        + 99 others); Wed, 2 May 2018 18:13:07 -0400
Received: from mta-p5.oit.umn.edu ([134.84.196.205]:33186 "EHLO
        mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751566AbeEBWNB (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 May 2018 18:13:01 -0400
Received: from localhost (unknown [127.0.0.1])
        by mta-p5.oit.umn.edu (Postfix) with ESMTP id 370CF914
        for <linux-kernel@vger.kernel.org>; Wed,  2 May 2018 22:13:00 +0000 (UTC)
X-Virus-Scanned: amavisd-new at umn.edu
Received: from mta-p5.oit.umn.edu ([127.0.0.1])
        by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id KkJiBEy5iz9Y for <linux-kernel@vger.kernel.org>;
        Wed,  2 May 2018 17:13:00 -0500 (CDT)
Received: from mail-it0-f69.google.com (mail-it0-f69.google.com [209.85.214.69])
        (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 07FA4250
        for <linux-kernel@vger.kernel.org>; Wed,  2 May 2018 17:13:00 -0500 (CDT)
Received: by mail-it0-f69.google.com with SMTP id n190-v6so4868180itg.4
        for <linux-kernel@vger.kernel.org>; Wed, 02 May 2018 15:12:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=umn.edu; s=google;
        h=from:to:cc:subject:date:message-id;
        bh=txgX3ax3CfQaIyoMYFKmx3DUqo1PnWsRhb8peeLrnDQ=;
        b=Kyva7yanIQ+3xwVrxsgC7d4eA9sePesCa5G5gZV3RwmiknL3sYri8WjrqeVdgMXXFd
         8NdK+WEcScShZTzX33pUsTPpck1GytJl2NcPp22rY3ZyKAmVwqp+oNEVV5KEh98Jh29f
         JwIVasPKiva8+5+D24D1MnnuMvnniwS1BDK6w+U3V9CrQSuUG0BCYDQ2MxW6an1lYSZJ
         oighGH8dJufJ+23Ti6Yo+IylVl7W6h1SByAQxMpGyozYvT1JDLEpXegqiXAQYcBnWLCH
         g002PNyJzgVj7h7K9Ung2ECTh27TuTyhZ9pZddibOtKnBURYn30w3whrITKNNURVkknO
         8pgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=txgX3ax3CfQaIyoMYFKmx3DUqo1PnWsRhb8peeLrnDQ=;
        b=jYd8cPmzYsNPBMR1OqFzLxKoTer02r54j0PDeFWef/yLMbjIII2PEAI5abPDXOu83f
         /cSnbVSa+xG26+O2E5gcGyy3ioLVHWMl9kP/nT6Y7wamoWa8z/C1ZRvmubLb5VW0NilW
         yhh7ygguu1qu9v4VcXBsX830CglyPElukJQyYilrD0QKpLJMzszGL31D8ckXvzF19xSg
         CvAtju3M8cwuFQygt5YkGx497eqAxRt+kbzsvT291+P9bEZaTrGJqvkM4LHA9YPOInHK
         Ba14aofkkrVissaTgh457WdwqQdLD4LswGTCfitTKDNHraYxwYHrA3rP4HtnvNIQomE6
         0VBw==
X-Gm-Message-State: ALQs6tBZMsDtH9Cc2FuNTsHwW/UokVyRUwdzM3o09qSZ2uccc49noPey
        s2JFJT2wNPriJKXl4VkzEIFvZ2SD2ew957637w94v2rXiJkx8zL9Jt+vRxYk4CenTjYtsSY6nn+
        aXvhLmbQNMZ8dcpL8DHbQMtizgw2t
X-Received: by 2002:a24:6c04:: with SMTP id w4-v6mr11399545itb.153.1525299179654;
        Wed, 02 May 2018 15:12:59 -0700 (PDT)
X-Received: by 2002:a24:6c04:: with SMTP id w4-v6mr11399525itb.153.1525299179431;
        Wed, 02 May 2018 15:12:59 -0700 (PDT)
Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95])
        by smtp.gmail.com with ESMTPSA id u196-v6sm1889845itc.28.2018.05.02.15.12.57
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Wed, 02 May 2018 15:12:58 -0700 (PDT)
From:   Wenwen Wang <wang6495@umn.edu>
To:     Wenwen Wang <wang6495@umn.edu>
Cc:     Kangjie Lu <kjlu@umn.edu>, Vlad Yasevich <vyasevich@gmail.com>,
        Neil Horman <nhorman@tuxdriver.com>,
        "David S. Miller" <davem@davemloft.net>,
        linux-sctp@vger.kernel.org (open list:SCTP PROTOCOL),
        netdev@vger.kernel.org (open list:NETWORKING [GENERAL]),
        linux-kernel@vger.kernel.org (open list)
Subject: [PATCH] sctp: fix a potential missing-check bug
Date:   Wed,  2 May 2018 17:12:45 -0500
Message-Id: <1525299165-27098-1-git-send-email-wang6495@umn.edu>
X-Mailer: git-send-email 2.7.4
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

In sctp_setsockopt_maxseg(), the integer 'val' is compared against min_len
and max_len to check whether it is in the appropriate range. If it is not,
an error code -EINVAL will be returned. This is enforced by a security
check. But, this check is only executed when 'val' is not 0. In fact, if
'val' is 0, it will be assigned with a new value (if the return value of
the function sctp_id2assoc() is not 0) in the following execution. However,
this new value of 'val' is not checked before it is used to assigned to
asoc->user_frag. That means it is possible that the new value of 'val'
could be out of the expected range. This can cause security issues
such as buffer overflows, e.g., the new value of 'val' is used as an index
to access a buffer.

This patch inserts a check for the new value of 'val' to see if it is in
the expected range. If it is not, an error code -EINVAL will be returned.

Signed-off-by: Wenwen Wang <wang6495@umn.edu>
---
 net/sctp/socket.c | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 80835ac..2beb601 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3212,6 +3212,7 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char __user *optval, unsigned
 	struct sctp_af *af = sp->pf->af;
 	struct sctp_assoc_value params;
 	struct sctp_association *asoc;
+	int min_len, max_len;
 	int val;
 
 	if (optlen == sizeof(int)) {
@@ -3231,19 +3232,15 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char __user *optval, unsigned
 		return -EINVAL;
 	}
 
-	if (val) {
-		int min_len, max_len;
+	min_len = SCTP_DEFAULT_MINSEGMENT - af->net_header_len;
+	min_len -= af->ip_options_len(sk);
+	min_len -= sizeof(struct sctphdr) +
+		   sizeof(struct sctp_data_chunk);
 
-		min_len = SCTP_DEFAULT_MINSEGMENT - af->net_header_len;
-		min_len -= af->ip_options_len(sk);
-		min_len -= sizeof(struct sctphdr) +
-			   sizeof(struct sctp_data_chunk);
+	max_len = SCTP_MAX_CHUNK_LEN - sizeof(struct sctp_data_chunk);
 
-		max_len = SCTP_MAX_CHUNK_LEN - sizeof(struct sctp_data_chunk);
-
-		if (val < min_len || val > max_len)
-			return -EINVAL;
-	}
+	if (val && (val < min_len || val > max_len))
+		return -EINVAL;
 
 	asoc = sctp_id2assoc(sk, params.assoc_id);
 	if (asoc) {
@@ -3253,6 +3250,8 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char __user *optval, unsigned
 			val -= sizeof(struct sctphdr) +
 			       sctp_datachk_len(&asoc->stream);
 		}
+		if (val < min_len || val > max_len)
+			return -EINVAL;
 		asoc->user_frag = val;
 		asoc->frag_point = sctp_frag_point(asoc, asoc->pathmtu);
 	} else {
-- 
2.7.4