Received: by 10.192.165.148 with SMTP id m20csp1151203imm; Wed, 2 May 2018 15:14:55 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrYG57BvRqh/d1boePQTsEL4hnqEEueZjONH+9ft2vZTt3tBxZDQ18rnsulcSWiOX3OPcV+ X-Received: by 2002:a63:7514:: with SMTP id q20-v6mr17217906pgc.88.1525299295190; Wed, 02 May 2018 15:14:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525299295; cv=none; d=google.com; s=arc-20160816; b=uQra9QG81T1vz2dXLmfNEgDtD9X0t9zlWS1rlU/91YEPqJC0RcBRdxwervghx6SJOv 55OjqeybpC5hzpUAxyfAGSrko98ydBCrcUgkZPVnYd/P/4hUQqJ/K2ksLmEZIASPcIKn 3qcyUq9X5WJwwYq37euwjdLrSb5n0IBjCn12c0N02ARmXJgUE6NiY/mL/TX28XjDbzcA QgB7ykqqkfkOh+q265oawmjmCNhhfC0SpQ63WyHKH8N5TrrfJZTWpxNWXxE67FbMTR2T retf+fq3FdMfScWrOKsibCkPw07rJ+SNnkHmRDdlHJopiaMTxwGSkk/EOoqUaMIwAWLY t+lg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=txgX3ax3CfQaIyoMYFKmx3DUqo1PnWsRhb8peeLrnDQ=; b=Uanhvld1p5BhHP+41CV3roiYEjxmD3fpVdETv9fzcJ3rfyuglb22CAOgjbEdo/c7Zo +jPDYkDflV3Fon/KMH+WyUmLqXWaMT7SmRIBhnDxRq0hVtLOVUtJQAwE9AgWwd2Ds1UH jl2M+5AJ+Q5kL2P0pY5xltCk5KFccbG20zWyReG3qzfRXGWwAStWvZ7imp0RyqiCnuBP lDLLjb48ftseRRd3QyvLjMMamabVS/yWglpy0Cr7ZD21kD6w0pJtU+dbsf2+WwUT9AU5 fRdDl6Vtqh4vaDlQXZhLoI32AS0aJmcX48x97eQbNRArifTsM1fWsnUhVE9Vajb0Ak1g rWsA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=Kyva7yan; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t14si10142505pfh.101.2018.05.02.15.14.41; Wed, 02 May 2018 15:14:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=google header.b=Kyva7yan; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751694AbeEBWNH (ORCPT + 99 others); Wed, 2 May 2018 18:13:07 -0400 Received: from mta-p5.oit.umn.edu ([134.84.196.205]:33186 "EHLO mta-p5.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751566AbeEBWNB (ORCPT ); Wed, 2 May 2018 18:13:01 -0400 Received: from localhost (unknown [127.0.0.1]) by mta-p5.oit.umn.edu (Postfix) with ESMTP id 370CF914 for ; Wed, 2 May 2018 22:13:00 +0000 (UTC) X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p5.oit.umn.edu ([127.0.0.1]) by localhost (mta-p5.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KkJiBEy5iz9Y for ; Wed, 2 May 2018 17:13:00 -0500 (CDT) Received: from mail-it0-f69.google.com (mail-it0-f69.google.com [209.85.214.69]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mta-p5.oit.umn.edu (Postfix) with ESMTPS id 07FA4250 for ; Wed, 2 May 2018 17:13:00 -0500 (CDT) Received: by mail-it0-f69.google.com with SMTP id n190-v6so4868180itg.4 for ; Wed, 02 May 2018 15:12:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umn.edu; s=google; h=from:to:cc:subject:date:message-id; bh=txgX3ax3CfQaIyoMYFKmx3DUqo1PnWsRhb8peeLrnDQ=; b=Kyva7yanIQ+3xwVrxsgC7d4eA9sePesCa5G5gZV3RwmiknL3sYri8WjrqeVdgMXXFd 8NdK+WEcScShZTzX33pUsTPpck1GytJl2NcPp22rY3ZyKAmVwqp+oNEVV5KEh98Jh29f JwIVasPKiva8+5+D24D1MnnuMvnniwS1BDK6w+U3V9CrQSuUG0BCYDQ2MxW6an1lYSZJ oighGH8dJufJ+23Ti6Yo+IylVl7W6h1SByAQxMpGyozYvT1JDLEpXegqiXAQYcBnWLCH g002PNyJzgVj7h7K9Ung2ECTh27TuTyhZ9pZddibOtKnBURYn30w3whrITKNNURVkknO 8pgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=txgX3ax3CfQaIyoMYFKmx3DUqo1PnWsRhb8peeLrnDQ=; b=jYd8cPmzYsNPBMR1OqFzLxKoTer02r54j0PDeFWef/yLMbjIII2PEAI5abPDXOu83f /cSnbVSa+xG26+O2E5gcGyy3ioLVHWMl9kP/nT6Y7wamoWa8z/C1ZRvmubLb5VW0NilW yhh7ygguu1qu9v4VcXBsX830CglyPElukJQyYilrD0QKpLJMzszGL31D8ckXvzF19xSg CvAtju3M8cwuFQygt5YkGx497eqAxRt+kbzsvT291+P9bEZaTrGJqvkM4LHA9YPOInHK Ba14aofkkrVissaTgh457WdwqQdLD4LswGTCfitTKDNHraYxwYHrA3rP4HtnvNIQomE6 0VBw== X-Gm-Message-State: ALQs6tBZMsDtH9Cc2FuNTsHwW/UokVyRUwdzM3o09qSZ2uccc49noPey s2JFJT2wNPriJKXl4VkzEIFvZ2SD2ew957637w94v2rXiJkx8zL9Jt+vRxYk4CenTjYtsSY6nn+ aXvhLmbQNMZ8dcpL8DHbQMtizgw2t X-Received: by 2002:a24:6c04:: with SMTP id w4-v6mr11399545itb.153.1525299179654; Wed, 02 May 2018 15:12:59 -0700 (PDT) X-Received: by 2002:a24:6c04:: with SMTP id w4-v6mr11399525itb.153.1525299179431; Wed, 02 May 2018 15:12:59 -0700 (PDT) Received: from cs-u-cslp16.cs.umn.edu (cs-u-cslp16.cs.umn.edu. [134.84.121.95]) by smtp.gmail.com with ESMTPSA id u196-v6sm1889845itc.28.2018.05.02.15.12.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 02 May 2018 15:12:58 -0700 (PDT) From: Wenwen Wang To: Wenwen Wang Cc: Kangjie Lu , Vlad Yasevich , Neil Horman , "David S. Miller" , linux-sctp@vger.kernel.org (open list:SCTP PROTOCOL), netdev@vger.kernel.org (open list:NETWORKING [GENERAL]), linux-kernel@vger.kernel.org (open list) Subject: [PATCH] sctp: fix a potential missing-check bug Date: Wed, 2 May 2018 17:12:45 -0500 Message-Id: <1525299165-27098-1-git-send-email-wang6495@umn.edu> X-Mailer: git-send-email 2.7.4 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In sctp_setsockopt_maxseg(), the integer 'val' is compared against min_len and max_len to check whether it is in the appropriate range. If it is not, an error code -EINVAL will be returned. This is enforced by a security check. But, this check is only executed when 'val' is not 0. In fact, if 'val' is 0, it will be assigned with a new value (if the return value of the function sctp_id2assoc() is not 0) in the following execution. However, this new value of 'val' is not checked before it is used to assigned to asoc->user_frag. That means it is possible that the new value of 'val' could be out of the expected range. This can cause security issues such as buffer overflows, e.g., the new value of 'val' is used as an index to access a buffer. This patch inserts a check for the new value of 'val' to see if it is in the expected range. If it is not, an error code -EINVAL will be returned. Signed-off-by: Wenwen Wang --- net/sctp/socket.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 80835ac..2beb601 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -3212,6 +3212,7 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char __user *optval, unsigned struct sctp_af *af = sp->pf->af; struct sctp_assoc_value params; struct sctp_association *asoc; + int min_len, max_len; int val; if (optlen == sizeof(int)) { @@ -3231,19 +3232,15 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char __user *optval, unsigned return -EINVAL; } - if (val) { - int min_len, max_len; + min_len = SCTP_DEFAULT_MINSEGMENT - af->net_header_len; + min_len -= af->ip_options_len(sk); + min_len -= sizeof(struct sctphdr) + + sizeof(struct sctp_data_chunk); - min_len = SCTP_DEFAULT_MINSEGMENT - af->net_header_len; - min_len -= af->ip_options_len(sk); - min_len -= sizeof(struct sctphdr) + - sizeof(struct sctp_data_chunk); + max_len = SCTP_MAX_CHUNK_LEN - sizeof(struct sctp_data_chunk); - max_len = SCTP_MAX_CHUNK_LEN - sizeof(struct sctp_data_chunk); - - if (val < min_len || val > max_len) - return -EINVAL; - } + if (val && (val < min_len || val > max_len)) + return -EINVAL; asoc = sctp_id2assoc(sk, params.assoc_id); if (asoc) { @@ -3253,6 +3250,8 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char __user *optval, unsigned val -= sizeof(struct sctphdr) + sctp_datachk_len(&asoc->stream); } + if (val < min_len || val > max_len) + return -EINVAL; asoc->user_frag = val; asoc->frag_point = sctp_frag_point(asoc, asoc->pathmtu); } else { -- 2.7.4