Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2355958imm; Thu, 7 Jun 2018 09:16:11 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIwVr7R71uyYpn10KJ7dNrrLQzHC6+vlDHUBj/D4qJeDXoT7AWqcEiRGb/feFuMA0krbUDV X-Received: by 2002:a17:902:981:: with SMTP id 1-v6mr2692677pln.11.1528388171189; Thu, 07 Jun 2018 09:16:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528388171; cv=none; d=google.com; s=arc-20160816; b=q0WJhHhI6ld365k1OEqulmnWMRLRCpLm4MZfxBjbUhbx3IcXa8IFfGrbrUYc91IBca UedmOlSnbsB/CMSdNsRDpApaCVVESQD/Zg8jXwipq21Fcsm9RNWlZ29v3GrxUBejTY+6 OAPKF3NjETQJNj/UB3dv5GoEiOT3Y32lJX+FzTnqWtcUDRp7HDBQO6tSaJynM2iNmiWw oSP1QAxrLeylrIkEQWDljKal4sbhkgGawW/NhVTl7+cMO6L+36R7MfcRwq04uDXzOgyY FTs6Xa8WldC8ndTmF7gNiA4N3hE6DLoCNr+I+r/eCbMawTF/aLBGahRN97P05CHPpoy4 BI6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=JSVRjL8zvEKeQVi04zaq5GDoMEIONgfoj9HVF3VnaMg=; b=sCrOBCy0yrgInCuQvUoDaSKjKpm4GhkMA24S+5YMDtrA818X+EC3FXxBCx0wYNlW+g 4U+nYA7wCxXCwbNSso4JMp7bFg0JpLqQnLmVMZuNwXdojcABQaWDa2jKR4qCUx7c0Oaa vFB9RwtLlSectOfdXNaairKiR+Fps0EaflRiyrhypT4Mft64XgBTxXG2v76De/2KcvV6 dyLT9m4e5QyRICgOc19FcDvlz0DF7Lfg6uEzBaP8AlZa18VEQ9OSabf7Poa1vTGitVxw pmgi8Mgs6yl81Ik3kXDaPlqSJ7xGIw2pr0rsDkVCHqR01c0HtixmZIui82ULtOFbtbHi hnWA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u123-v6si51062061pfu.322.2018.06.07.09.15.56; Thu, 07 Jun 2018 09:16:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S936028AbeFGQOs (ORCPT + 99 others); Thu, 7 Jun 2018 12:14:48 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:39118 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932916AbeFGOI6 (ORCPT ); Thu, 7 Jun 2018 10:08:58 -0400 Received: from [148.252.241.226] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1fQvay-0005Zm-5O; Thu, 07 Jun 2018 15:08:56 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1fQvax-0002gN-2u; Thu, 07 Jun 2018 15:08:55 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Jason Gunthorpe" , "Daniel Borkmann" , "Neil Horman" , "David S. Miller" Date: Thu, 07 Jun 2018 15:05:21 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 005/410] sctp: Fix mangled IPv4 addresses on a IPv6 listening socket In-Reply-To: X-SA-Exim-Connect-IP: 148.252.241.226 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.57-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Jason Gunthorpe commit 9302d7bb0c5cd46be5706859301f18c137b2439f upstream. sctp_v4_map_v6 was subtly writing and reading from members of a union in a way the clobbered data it needed to read before it read it. Zeroing the v6 flowinfo overwrites the v4 sin_addr with 0, meaning that every place that calls sctp_v4_map_v6 gets ::ffff:0.0.0.0 as the result. Reorder things to guarantee correct behaviour no matter what the union layout is. This impacts user space clients that open an IPv6 SCTP socket and receive IPv4 connections. Prior to 299ee user space would see a sockaddr with AF_INET and a correct address, after 299ee the sockaddr is AF_INET6, but the address is wrong. Fixes: 299ee123e198 (sctp: Fixup v4mapped behaviour to comply with Sock API) Signed-off-by: Jason Gunthorpe Acked-by: Daniel Borkmann Acked-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- include/net/sctp/sctp.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/include/net/sctp/sctp.h +++ b/include/net/sctp/sctp.h @@ -582,11 +582,14 @@ static inline void sctp_v6_map_v4(union /* Map v4 address to v4-mapped v6 address */ static inline void sctp_v4_map_v6(union sctp_addr *addr) { + __be16 port; + + port = addr->v4.sin_port; + addr->v6.sin6_addr.s6_addr32[3] = addr->v4.sin_addr.s_addr; + addr->v6.sin6_port = port; addr->v6.sin6_family = AF_INET6; addr->v6.sin6_flowinfo = 0; addr->v6.sin6_scope_id = 0; - addr->v6.sin6_port = addr->v4.sin_port; - addr->v6.sin6_addr.s6_addr32[3] = addr->v4.sin_addr.s_addr; addr->v6.sin6_addr.s6_addr32[0] = 0; addr->v6.sin6_addr.s6_addr32[1] = 0; addr->v6.sin6_addr.s6_addr32[2] = htonl(0x0000ffff);