Received: by 10.192.165.148 with SMTP id m20csp1203789imm; Wed, 2 May 2018 16:24:25 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoYyYDObSvFwiZvqCoNeRSXORSZ8AIsf5q+keBQYAao/Raaa3aC3KkrlB1wUM88rFnXA8eF X-Received: by 10.98.201.92 with SMTP id k89mr20937217pfg.47.1525303465750; Wed, 02 May 2018 16:24:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525303465; cv=none; d=google.com; s=arc-20160816; b=tu/PMLcMZamEsIhwsYvN4nflKi9AcuxFBR04/LfeYEcTGPjO9eWrhVUZToyxchBO2g eGoDFtzK49XAYO9EVbXe0TQ0rgppgKCnUuJ/1Tr8R5EZtmZN+n6yn+LRUJwqqLNd5BB2 YkomLvxYZP8a43EP/jlF3sZa3KfVP80l/k3rlgjzi7tNoOsW7Aj3mGEg5tOrmU5sd5wC 8kEZny0M1uDkQC/mpizt1xhdYBcGebjGOwBV/HIaGRvwA4CVaTTloZO03UfCBqYOHgSR O+n7dvENMPKqIeV1YllGx/J2dM3g7ZpXj3R/wbvS6mWhwNrCxKdc9nBp7YqnTXVICJIn 0gLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=DD2vmCTwzB5oU5HoWIysJPXEnrSe3M7hF0YFMZK18CI=; b=SozoMhcnDllPYfaALe1AMOXePb9goR4SotLKwfz/AA/b+LkbXZRBDhJDQqLFAnZ9dA YnllvzVTRODGQRb9GyD8nGFrlsHGeKN2Bi4tk62g/Bg2UfA9UTovEBeow89RwjbMrGLI kH/U/D4A71TPe8+i+Um6Z+pgIzLZyEBvJd277bQkmejnRArQawPYm7l9PhSNiRNhNvpe hBrjvny5BYKgCHKG0Zwh9HSKq69eO6sPekwGmatJJ5qBx9zjhEnHOR0eNkgAL4LmejL5 zBJ7qoA4fyTzRRPQQngOQzgjHBgRG6NEM92y0wGO46fbUdhpDVxEYOidm678ZYQiIXix lmUg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ioFtrXVH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z21-v6si8532395plo.465.2018.05.02.16.24.11; Wed, 02 May 2018 16:24:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ioFtrXVH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751840AbeEBXX7 (ORCPT + 99 others); Wed, 2 May 2018 19:23:59 -0400 Received: from mail-qt0-f196.google.com ([209.85.216.196]:39525 "EHLO mail-qt0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751587AbeEBXX4 (ORCPT ); Wed, 2 May 2018 19:23:56 -0400 Received: by mail-qt0-f196.google.com with SMTP id f1-v6so20706548qtj.6; Wed, 02 May 2018 16:23:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=DD2vmCTwzB5oU5HoWIysJPXEnrSe3M7hF0YFMZK18CI=; b=ioFtrXVH2GRucPIWb6c8x9kcvVXY+8AejssmFfMfrMk4AhpsuWo5Kj58UExupYxpkC yE14thn2jv5yhCR2gZW7LApAejqnH3WU3JKPz3/9XsuLsF/l5fUuCWshKVUsh22C0dJ/ IkmCrkukgFwBwfFt69jsdgXu/hpOjldyHGBUN9fmxzzhv3LZKaoJL65drP2kzIi6Hp43 aKRgqXUHS9wH/SmCZNKUUXsnTcwxAOScIeIfce7AqpJlkNMSNXR03RAdinL/QXdJ2wkk 3dJutdDgSig3jrull6L0v2WdYgSvU4trlNwtkxd8W1Uob1tBD+IJ1YGRovQWav87QvVm 5EfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=DD2vmCTwzB5oU5HoWIysJPXEnrSe3M7hF0YFMZK18CI=; b=fmHxjhAHn/XowCV2KBDeAayBHY4UCo1mhOv7NuWkWM3l3ktaVO6UGlP+AgU1mZJ/1C oW5KBMW02WAWF59uVsAusolZIHS4sYRQowf6ksE0Lsz2g/8Xs0JlkL87IngpYW8OWire RXau96Gpa8v62lOkpxQ/nW4xZKlflKj/NefZ++qYUqQryl9JbOu2FBCpnKToVZt+ZkrB kk9hlMT5/ANOHaW6uGX82fb8AfXY2zdfROo2KY1GqLnzcOfVy2160mdK8rUMAPiFSBtv 0aorGg66M0xWn84nXn46sMdjD7UZ04UWpolMusVXB7vYBxoS7dnWjaEHfcQsADaFjUvo Wliw== X-Gm-Message-State: ALQs6tAU/i1emxMUaKiNAlsOgpHsPUHueC6ChzDUSaqc/+BWXqjCrF74 Uc7XHCLh+DLQfrCFDhWDJps= X-Received: by 2002:ac8:431a:: with SMTP id z26-v6mr18513868qtm.377.1525303435810; Wed, 02 May 2018 16:23:55 -0700 (PDT) Received: from localhost.localdomain ([177.10.56.95]) by smtp.gmail.com with ESMTPSA id g127sm9618486qkc.4.2018.05.02.16.23.55 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 02 May 2018 16:23:55 -0700 (PDT) Received: by localhost.localdomain (Postfix, from userid 1000) id 7D0D2180DFB; Wed, 2 May 2018 20:23:52 -0300 (-03) Date: Wed, 2 May 2018 20:23:52 -0300 From: Marcelo Ricardo Leitner To: Wenwen Wang Cc: Kangjie Lu , Vlad Yasevich , Neil Horman , "David S. Miller" , "open list:SCTP PROTOCOL" , "open list:NETWORKING [GENERAL]" , open list Subject: Re: [PATCH] sctp: fix a potential missing-check bug Message-ID: <20180502232352.GJ5105@localhost.localdomain> References: <1525299165-27098-1-git-send-email-wang6495@umn.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1525299165-27098-1-git-send-email-wang6495@umn.edu> User-Agent: Mutt/1.9.2 (2017-12-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Wenwen, On Wed, May 02, 2018 at 05:12:45PM -0500, Wenwen Wang wrote: > In sctp_setsockopt_maxseg(), the integer 'val' is compared against min_len > and max_len to check whether it is in the appropriate range. If it is not, > an error code -EINVAL will be returned. This is enforced by a security > check. But, this check is only executed when 'val' is not 0. In fact, if Which makes sense, no? Especially if considering that 0 should be an allowed value as it turns off the user limit. > 'val' is 0, it will be assigned with a new value (if the return value of > the function sctp_id2assoc() is not 0) in the following execution. However, > this new value of 'val' is not checked before it is used to assigned to Which 'new value'? val is not set to something new during the function. It always contains the user supplied value. > asoc->user_frag. That means it is possible that the new value of 'val' > could be out of the expected range. This can cause security issues > such as buffer overflows, e.g., the new value of 'val' is used as an index > to access a buffer. > > This patch inserts a check for the new value of 'val' to see if it is in > the expected range. If it is not, an error code -EINVAL will be returned. > > Signed-off-by: Wenwen Wang > --- > net/sctp/socket.c | 21 ++++++++++----------- > 1 file changed, 10 insertions(+), 11 deletions(-) > > diff --git a/net/sctp/socket.c b/net/sctp/socket.c > index 80835ac..2beb601 100644 > --- a/net/sctp/socket.c > +++ b/net/sctp/socket.c > @@ -3212,6 +3212,7 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char __user *optval, unsigned > struct sctp_af *af = sp->pf->af; > struct sctp_assoc_value params; > struct sctp_association *asoc; > + int min_len, max_len; > int val; > > if (optlen == sizeof(int)) { > @@ -3231,19 +3232,15 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char __user *optval, unsigned > return -EINVAL; > } > > - if (val) { > - int min_len, max_len; > + min_len = SCTP_DEFAULT_MINSEGMENT - af->net_header_len; > + min_len -= af->ip_options_len(sk); > + min_len -= sizeof(struct sctphdr) + > + sizeof(struct sctp_data_chunk); On which tree did you base your patch on? Your patch lacks a tag so it defaults to net-next, and I reworked this section on current net-next and these MTU calculcations are now handled by sctp_mtu_payload(). But even for net tree, I don't understand which issue you're fixing here. Actually it seems to me that both codes seems to do the same thing. > > - min_len = SCTP_DEFAULT_MINSEGMENT - af->net_header_len; > - min_len -= af->ip_options_len(sk); > - min_len -= sizeof(struct sctphdr) + > - sizeof(struct sctp_data_chunk); > + max_len = SCTP_MAX_CHUNK_LEN - sizeof(struct sctp_data_chunk); > > - max_len = SCTP_MAX_CHUNK_LEN - sizeof(struct sctp_data_chunk); > - > - if (val < min_len || val > max_len) > - return -EINVAL; > - } > + if (val && (val < min_len || val > max_len)) > + return -EINVAL; > > asoc = sctp_id2assoc(sk, params.assoc_id); > if (asoc) { > @@ -3253,6 +3250,8 @@ static int sctp_setsockopt_maxseg(struct sock *sk, char __user *optval, unsigned > val -= sizeof(struct sctphdr) + > sctp_datachk_len(&asoc->stream); > } > + if (val < min_len || val > max_len) > + return -EINVAL; > asoc->user_frag = val; > asoc->frag_point = sctp_frag_point(asoc, asoc->pathmtu); > } else { > -- > 2.7.4 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-sctp" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >