Received: by 10.192.165.148 with SMTP id m20csp1757228imm; Thu, 3 May 2018 05:04:31 -0700 (PDT) X-Google-Smtp-Source: AB8JxZr03BixLAUAaNS1bGpXZxmAqo5qa2QPvpTcpc3zYaWUmyWBB+T/zwSNP+devSGF4UlOTQdr X-Received: by 2002:a17:902:5402:: with SMTP id d2-v6mr23870521pli.386.1525349071519; Thu, 03 May 2018 05:04:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525349071; cv=none; d=google.com; s=arc-20160816; b=NPmShjLrNq6O90KftQ+NR2GpNkF7Z5/L95wTWG42lJyUq8xLHbPh4ZZucboAIZoQg+ gYIB7MfcCPQnmGuqTvVwjTukR3oIaHIV+mTZiMvacXWY5N9ALlq/nNlHHgOwsKNvjnK4 w0VkwbHEfZ8LNooxlooqhJ9PPqfu5C3zyldbXPc1nWvkzgaY+bNFlf4ONUdpxZ2E4TbZ +FXYgEQJj1lOEF3gl8z+wO9puo2hAzLtdzsTdLePWTH14JpoSRt8cnQvkaoPuWRe846g anduXp/VdlHYAa0dtmliaeuKwbZuWNklnhuT6ZxA7i713R8wuwxjbgO4f0KgMkuB4REs 0TuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=ccuCADb2gBYxcTKIxWFrqzS3x9ZBiGHWBn46vIPHLjE=; b=wqQup56gUTo6XR9dv1Rs2UGbu5Rbh5ApzC/fcrXXzG73diFAeW+iX6LZGCkloROIob 4QJzhUGShR4JfWWcGzD0BYPImC9AfBHWq3vDSZDIjpj3QOV1oHjXoze340pN2yFx6BBX BVwJNOHo3A0bMt3DRzJFaIeXi4BvmHc8UFA+Hpd4qwm3sEDHONetI58q3DZ/bgZvFCgV 0yjCrVORICmFUUgyog9u1YPKHszDlu2N17ZKDAQrK/Y/rOaHF+XLS3N+GUa6xj1luXGz 607c6exEm3r8uRA7xsfeSQdGjc/YTZIxLKb9VTYUHKN+PywtZKBQ8gmW9d0UcoXb8qHj 2Iqw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=rlBcwBB2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a81si13475362pfj.300.2018.05.03.05.04.17; Thu, 03 May 2018 05:04:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@umn.edu header.s=20160920 header.b=rlBcwBB2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=umn.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751809AbeECMCh (ORCPT + 99 others); Thu, 3 May 2018 08:02:37 -0400 Received: from mta-p3.oit.umn.edu ([134.84.196.203]:57508 "EHLO mta-p3.oit.umn.edu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751735AbeECMCd (ORCPT ); Thu, 3 May 2018 08:02:33 -0400 Received: from localhost (localhost [127.0.0.1]) by mta-p3.oit.umn.edu (Postfix) with ESMTP id 4FD435FC; Thu, 3 May 2018 12:02:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=umn.edu; h= content-type:content-type:subject:subject:message-id:date:date :from:from:references:in-reply-to:received:mime-version:received :received:received; s=20160920; t=1525348952; x=1527163353; bh=5 zcXMCcchlCL8HnxryCe8Y18vZdiHxG0YoS4STWvmL8=; b=rlBcwBB2bhoy65rZk JCHmVS0jszTfRJTiJHFz6/f+iIr/X4+KsqnnRxpyFogpuBS/B0THU2lSwt9MkNHq sPp4XLtJjHHZBq9NNhCmFtmO/dcBlASwlnFkZU9Op+IRheme7uQTJe3hqgcaDBN1 qLWxGvNr/u5nWKj+btka+6bOILTWuYAZmiemRyNJTO6UK6E7x5+d+wbSlNtshB/9 CHxjRmxHU/nT9z4tyY2cZyTFh7mxhaJ+2Q72grXl7VE+WQKRDjX3TxCM9zZb3LkJ mhI6My6ZbEqwoGWIFV6/fHIkKRebAARW8eXodj3BHgSYl8/sGLmh58OMEOdp7w7V 702ag== X-Virus-Scanned: amavisd-new at umn.edu Received: from mta-p3.oit.umn.edu ([127.0.0.1]) by localhost (mta-p3.oit.umn.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RHPHgHA3lDvM; Thu, 3 May 2018 07:02:32 -0500 (CDT) Received: from mail-it0-f51.google.com (mail-it0-f51.google.com [209.85.214.51]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: wang6495) by mta-p3.oit.umn.edu (Postfix) with ESMTPSA id 20EDA603; Thu, 3 May 2018 07:02:32 -0500 (CDT) Received: by mail-it0-f51.google.com with SMTP id i136-v6so12557753ita.2; Thu, 03 May 2018 05:02:32 -0700 (PDT) X-Gm-Message-State: ALQs6tCJQomGvBdd1MRAGz/9XIIvheuRafX0JyBymNHaC6ebA61qRqVP dXLkPSWAHXTW+iudM3AddQ/SPJAr8VQLHaL54TE= X-Received: by 2002:a24:ed4a:: with SMTP id r71-v6mr9543254ith.85.1525348951833; Thu, 03 May 2018 05:02:31 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4f:6f07:0:0:0:0:0 with HTTP; Thu, 3 May 2018 05:01:51 -0700 (PDT) In-Reply-To: <20180503014838.GL5105@localhost.localdomain> References: <1525310145-28102-1-git-send-email-wang6495@umn.edu> <20180503012402.GK5105@localhost.localdomain> <20180503014838.GL5105@localhost.localdomain> From: Wenwen Wang Date: Thu, 3 May 2018 07:01:51 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] sctp: fix a potential missing-check bug To: Marcelo Ricardo Leitner Cc: Kangjie Lu , Vlad Yasevich , Neil Horman , "David S. Miller" , "open list:SCTP PROTOCOL" , "open list:NETWORKING [GENERAL]" , open list , Wenwen Wang Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 2, 2018 at 8:48 PM, Marcelo Ricardo Leitner wrote: > On Wed, May 02, 2018 at 08:27:05PM -0500, Wenwen Wang wrote: >> On Wed, May 2, 2018 at 8:24 PM, Marcelo Ricardo Leitner >> wrote: >> > On Wed, May 02, 2018 at 08:15:45PM -0500, Wenwen Wang wrote: >> >> In sctp_setsockopt_maxseg(), the integer 'val' is compared against min_len >> >> and max_len to check whether it is in the appropriate range. If it is not, >> >> an error code -EINVAL will be returned. This is enforced by a security >> >> check. But, this check is only executed when 'val' is not 0. In fact, if >> >> 'val' is 0, it will be assigned with a new value (if the return value of >> >> the function sctp_id2assoc() is not 0) in the following execution. However, >> >> this new value of 'val' is not checked before it is used to assigned to >> >> asoc->user_frag. That means it is possible that the new value of 'val' >> >> could be out of the expected range. This can cause security issues >> >> such as buffer overflows, e.g., the new value of 'val' is used as an index >> >> to access a buffer. >> >> >> >> This patch inserts a check for the new value of 'val' to see if it is in >> >> the expected range. If it is not, an error code -EINVAL will be returned. >> >> >> >> Signed-off-by: Wenwen Wang >> >> --- >> >> net/sctp/socket.c | 22 +++++++++++----------- >> >> 1 file changed, 11 insertions(+), 11 deletions(-) >> > >> > ? >> > This patch is the same as previous one. git send-email >> > maybe? >> > >> > Marcelo >> >> Thanks for your suggestion, Marcelo. I can send the old file. But, I >> have added a line of comment in this patch. > > I meant if you had sent the old patch again by accident, because you > said you worked on an old version of the tree, but then posted a patch > that also doesn't use the new MTU function I mentioned. > > Marcelo I worked on the latest kernel. But, I didn't find the MTU function sctp_mtu_payload(). The problematic function that I found is sctp_setsockopt_maxseg() located in the file net/sctp/socket.c. Thanks, Wenwen