Received: by 10.192.165.148 with SMTP id m20csp1303927imm; Wed, 2 May 2018 18:49:11 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrkijgzbL87G4YKx0erOOiWi1i+OvAh5aHsxeKSM5lwpXvrmpPvPNQB1iiLjBvQb9IQDZBi X-Received: by 10.98.212.90 with SMTP id u26mr21277468pfl.166.1525312151382; Wed, 02 May 2018 18:49:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525312151; cv=none; d=google.com; s=arc-20160816; b=cm/1ifANPKSa6A9Du6UtVlZghxllpyZoVzCv2Bkfq7XJkN+y/QxKJ3z5VhJ/DEG3MD nC7JPuiZ1dpRnhrDoxparvmCpg2hQh7iO++du15FX+SxRMnNIflPjC1nScjPx19L+IUM gSABwx+67TILgvVyI8sKe6lrSIkY6zbRiqkgR2OwlnEAGsQu7GMyqv7gqycxwZmPTppn YfuubjKBYO6Lv6EwmVK/Jk9U6+GUn4BBimlG5ny73tdrfa+PPZRtP44TTHbNEFa30G5w eeinn2Xzki+Vfn0WviUGDfgEYArPbdKfvmJaqK2V7VVYFqiRmJ7/8RDqiVbICv9dfnZo G0Sw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=aCFM+u0TYTLKNC5U6Oz+nhM0ThfS07RkmAzT/mfeNgc=; b=fPgoE6tvQ5s4PkdjtVHw54nLM0Zi90xHxs+5OHBJd8ThiF9Bd4uuiyh4jTdxJ+3K1i SDr6vKuzKYMg0gvXqhMSvX6M0/aTvVLxQDUc7YDsn2TJ+Nsr6svVeHXPrH4gCfxZxRRX GE75mM9UeJA6xzA1uKrY/0Zq9wBLTzcnf88+5U2PCCIHH/zo25L8zLiHjxGCZn31Xpzq Qev2shXHZspFjuGCx1JcVjTE1bYz3REKDaiDLUHso9U5GYaKPPEWlon0um2o8IY+bTiX Pn756VWCE9JCutV4fj79QefWfEksIMnPGzUxn2lUIhgeIAMlQ2sQYt8TGtulGgQ2oEG/ SUzQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XXgYdBQd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v8-v6si12524464plg.68.2018.05.02.18.48.57; Wed, 02 May 2018 18:49:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XXgYdBQd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751987AbeECBsp (ORCPT + 99 others); Wed, 2 May 2018 21:48:45 -0400 Received: from mail-qt0-f193.google.com ([209.85.216.193]:40298 "EHLO mail-qt0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751862AbeECBso (ORCPT ); Wed, 2 May 2018 21:48:44 -0400 Received: by mail-qt0-f193.google.com with SMTP id h2-v6so21022212qtp.7; Wed, 02 May 2018 18:48:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=aCFM+u0TYTLKNC5U6Oz+nhM0ThfS07RkmAzT/mfeNgc=; b=XXgYdBQdkHhp4nlGBtpmGHmlVphCC3X1Y2UBPOYLTXM32MtyAhCI0ZT0qBcnZnvCXW 05jctjSfte8alF8Ljgq6O+MA8JBNIca5ge9j7O1bT5cZg/Xigp5WHCfr05/TomyV1SO5 cZrvn+LIo0nIlpXRE5VmH14bfflIuE9dV8sW01db34FYFX0pVKX8xAWUulFI+c4/Z4Ze xUiGUKxx6wPgQ4mK8gNl60F0FG1UgIkq5o6onvYTABii6kfrXLhLN5MH4wjC06kky0di TUbrNOq+mihk51JeiO+fahcdg9zTmsfxrlU3YDmV6awtxgypbG0ufNaKMG6OlBs0NAaC 5Iow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=aCFM+u0TYTLKNC5U6Oz+nhM0ThfS07RkmAzT/mfeNgc=; b=Ch8/CW42prYp+sSQZuN8oX+2gR/2aF9EYdopq9be+O0ADXC+iXVMbkyZywteVCU2Bt 7NwD2m5idO1jgraAlKFbFpuabGHgieIrRsS2Mv8yS2dr0fGceFBUj8QUNuh18ay3/g2z EuSCEt1LSfDEmVOMyI3vzAvxEKn3S6e6a0PCejzKdyy1P2TIDmzkErFm4ASEcSsXNB7A DGkcAkS/ha/M3dX5sL+J+EHvgjJUsjEz0cm9S3pEddTvpfeC6SjyCfSryNqAT+WitaTe LVeZ6lFMGENZC9GeKZpPZ4e31ly7DitoudqMvZZCVEHzCR9yOnLCVodYdRLirFQgOs0q TB+Q== X-Gm-Message-State: ALQs6tBbAoqbzUGRvvuecI2uVpmfbs45NhVck58fSnR9ajD6iKI8vNSi v/I7JNv6ZZWJG4FAZ5fZvjA= X-Received: by 2002:a0c:d80f:: with SMTP id h15-v6mr1817183qvj.3.1525312123004; Wed, 02 May 2018 18:48:43 -0700 (PDT) Received: from localhost.localdomain ([177.10.56.95]) by smtp.gmail.com with ESMTPSA id s64sm10419644qkl.85.2018.05.02.18.48.41 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 02 May 2018 18:48:42 -0700 (PDT) Received: by localhost.localdomain (Postfix, from userid 1000) id E28F4180DFB; Wed, 2 May 2018 22:48:38 -0300 (-03) Date: Wed, 2 May 2018 22:48:38 -0300 From: Marcelo Ricardo Leitner To: Wenwen Wang Cc: Kangjie Lu , Vlad Yasevich , Neil Horman , "David S. Miller" , "open list:SCTP PROTOCOL" , "open list:NETWORKING [GENERAL]" , open list Subject: Re: [PATCH] sctp: fix a potential missing-check bug Message-ID: <20180503014838.GL5105@localhost.localdomain> References: <1525310145-28102-1-git-send-email-wang6495@umn.edu> <20180503012402.GK5105@localhost.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.2 (2017-12-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 02, 2018 at 08:27:05PM -0500, Wenwen Wang wrote: > On Wed, May 2, 2018 at 8:24 PM, Marcelo Ricardo Leitner > wrote: > > On Wed, May 02, 2018 at 08:15:45PM -0500, Wenwen Wang wrote: > >> In sctp_setsockopt_maxseg(), the integer 'val' is compared against min_len > >> and max_len to check whether it is in the appropriate range. If it is not, > >> an error code -EINVAL will be returned. This is enforced by a security > >> check. But, this check is only executed when 'val' is not 0. In fact, if > >> 'val' is 0, it will be assigned with a new value (if the return value of > >> the function sctp_id2assoc() is not 0) in the following execution. However, > >> this new value of 'val' is not checked before it is used to assigned to > >> asoc->user_frag. That means it is possible that the new value of 'val' > >> could be out of the expected range. This can cause security issues > >> such as buffer overflows, e.g., the new value of 'val' is used as an index > >> to access a buffer. > >> > >> This patch inserts a check for the new value of 'val' to see if it is in > >> the expected range. If it is not, an error code -EINVAL will be returned. > >> > >> Signed-off-by: Wenwen Wang > >> --- > >> net/sctp/socket.c | 22 +++++++++++----------- > >> 1 file changed, 11 insertions(+), 11 deletions(-) > > > > ? > > This patch is the same as previous one. git send-email > > maybe? > > > > Marcelo > > Thanks for your suggestion, Marcelo. I can send the old file. But, I > have added a line of comment in this patch. I meant if you had sent the old patch again by accident, because you said you worked on an old version of the tree, but then posted a patch that also doesn't use the new MTU function I mentioned. Marcelo