Received: by 10.192.165.148 with SMTP id m20csp1289710imm; Wed, 2 May 2018 18:28:17 -0700 (PDT) X-Google-Smtp-Source: AB8JxZr3W9qa42Tn6vwyKHUIkOXIKc8XrqjHteqRK1Z+5/jxMTxSfpG1T74IFexZQN0o2jTZwDQI X-Received: by 2002:a17:902:bc84:: with SMTP id bb4-v6mr11083568plb.84.1525310897860; Wed, 02 May 2018 18:28:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525310897; cv=none; d=google.com; s=arc-20160816; b=HTOwAp+J39af+O4Ws62kMTQ+YKuBsMd2jSZzwEdyestAaaU3ax7CrERnQ5s/ajQJeG gWCSyeinln81vOlJQa24fDJcTj0As3uIutsNwfKmEAP+TTV8YZemibri8+fq2ptA/dI0 ywaSFsW6WDt+jDpklopS6VTHByfcQiLP74z3AS0GVwzgBW3hzO78b2z8ofTKqR8IES0V a80T9VFJijIEmRsIhAT9mBmOfgnjEam1pmfs+OGOA1SVYwVVtDDNblWfmqzOgEsFzQLR Az7J0sq6bHjln57Ri3XTbUFG/6PZpWqhQce/oBahLAhmhnsf8KzCvd8kXi7AiF4aMuYV bq/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=IEjtF7s47S/7QPMziZpvwNGGlUxh3slDZ5eePSE1E1k=; b=0po4fbMOnD3YbPxejqrD8FKu49FnBRP65CP03AuoiGTB1I3pZrLs7kGmi/sqQ3ghJI DV+ueghkVTmfI+K+hIUyHakCyQnetIGEurUpnnb4pUpGw+BOWy2y3yvNPZvvfaKyLNdX bpo9lq9gFUwS43mgNOISRA3B3OSUqQXblsZD1bl+BGaKiRjM2HtR28V5Aeo9Z37srGLP 8ZTzNNpZQd5UX+lQqhUGuxSpI6nlCDYGLLycQRkZ5jjvsWf+z+pdqF3hmSdaK5n4q+IS hd7VhmFNRouvUyiRpRNwV/cqwSP3eR7D7pRDZgZVnA0XddWB0KSCdSQpQ3o4UAyRUKrE 95nQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=ShwSdYme; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o1-v6si10222694pge.307.2018.05.02.18.28.03; Wed, 02 May 2018 18:28:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=ShwSdYme; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751984AbeECB1t (ORCPT + 99 others); Wed, 2 May 2018 21:27:49 -0400 Received: from mta-p4.oit.umn.edu ([134.84.196.204]:47574 "EHLO mta-p4.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751745AbeECB1r (ORCPT ); Wed, 2 May 2018 21:27:47 -0400 Received: from localhost (localhost [127.0.0.1]) by mta-p4.oit.umn.edu (Postfix) with ESMTP id 88EA4565; Thu, 3 May 2018 01:27:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=umn.edu; h= content-type:content-type:subject:subject:message-id:date:date :from:from:references:in-reply-to:received:mime-version:received :received:received; s=20160920; t=1525310866; x=1527125267; bh=L FGlE6cfZujBq+r5mvLawP+QPJXhvWCv8r99EbSFAjY=; b=ShwSdYmeV1dpOLkjU Syx/nmquBdOJY+OFSVeGBrnNK6qk7Wag+wgXf2uQS7GUmhMGjLNsp4qx5m85ZRkq 20MZ07GvcgGiV8bE7yHoL3a3FHWVvH2gYVpYBuyzsMtRdi9PtvQY5dzbHj+LOmAF BlhX4XQ235x2Kxd9fYDPA8N4/ZkbPXfnqIQtL/E5bKIGsRROqc92YtRNU9JoIC7V hppALivA9wm9nSCCwoeBm9H6UpQcpdWc4NFhWZn5eBFZfKN5ovLjRyVt74C67LEN eYtYJ7oLBUwSE/pVEJHG257+EkvBHQvDFaeg2/iLpXx72ERZ0nxDk2x4fnd2XOAF c8thQ== X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p4.oit.umn.edu ([127.0.0.1]) by localhost (mta-p4.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A3dUY_Z2q23l; Wed, 2 May 2018 20:27:46 -0500 (CDT) Received: from mail-it0-f52.google.com (mail-it0-f52.google.com [209.85.214.52]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: wang6495) by mta-p4.oit.umn.edu (Postfix) with ESMTPSA id 674DE562; Wed, 2 May 2018 20:27:46 -0500 (CDT) Received: by mail-it0-f52.google.com with SMTP id p3-v6so19987513itc.0; Wed, 02 May 2018 18:27:46 -0700 (PDT) X-Gm-Message-State: ALQs6tC62eWg7jtkPQXmMAV1Yylkd50VWiF+li4LM3tj0ZLsX/rbE7YD r+Hva2QUFQXR+jeuIQwI3w/lp3Ldfm6Pvb51Zdw= X-Received: by 2002:a24:25d0:: with SMTP id g199-v6mr4229791itg.26.1525310866158; Wed, 02 May 2018 18:27:46 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4f:6f07:0:0:0:0:0 with HTTP; Wed, 2 May 2018 18:27:05 -0700 (PDT) In-Reply-To: <20180503012402.GK5105@localhost.localdomain> References: <1525310145-28102-1-git-send-email-wang6495@umn.edu> <20180503012402.GK5105@localhost.localdomain> From: Wenwen Wang Date: Wed, 2 May 2018 20:27:05 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] sctp: fix a potential missing-check bug To: Marcelo Ricardo Leitner Cc: Kangjie Lu , Vlad Yasevich , Neil Horman , "David S. Miller" , "open list:SCTP PROTOCOL" , "open list:NETWORKING [GENERAL]" , open list , Wenwen Wang Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 2, 2018 at 8:24 PM, Marcelo Ricardo Leitner wrote: > On Wed, May 02, 2018 at 08:15:45PM -0500, Wenwen Wang wrote: >> In sctp_setsockopt_maxseg(), the integer 'val' is compared against min_len >> and max_len to check whether it is in the appropriate range. If it is not, >> an error code -EINVAL will be returned. This is enforced by a security >> check. But, this check is only executed when 'val' is not 0. In fact, if >> 'val' is 0, it will be assigned with a new value (if the return value of >> the function sctp_id2assoc() is not 0) in the following execution. However, >> this new value of 'val' is not checked before it is used to assigned to >> asoc->user_frag. That means it is possible that the new value of 'val' >> could be out of the expected range. This can cause security issues >> such as buffer overflows, e.g., the new value of 'val' is used as an index >> to access a buffer. >> >> This patch inserts a check for the new value of 'val' to see if it is in >> the expected range. If it is not, an error code -EINVAL will be returned. >> >> Signed-off-by: Wenwen Wang >> --- >> net/sctp/socket.c | 22 +++++++++++----------- >> 1 file changed, 11 insertions(+), 11 deletions(-) > > ? > This patch is the same as previous one. git send-email > maybe? > > Marcelo Thanks for your suggestion, Marcelo. I can send the old file. But, I have added a line of comment in this patch. Wenwen