Received: by 2002:a17:90a:9307:0:0:0:0 with SMTP id p7csp3947865pjo; Tue, 3 Mar 2020 09:56:03 -0800 (PST) X-Google-Smtp-Source: ADFU+vs7u74NrkiA757Kx7zII8SHcT7X4Gu+74ivHvm2YkXk+A0+hukYtQiv59eRYJqP5fb3Osmm X-Received: by 2002:a9d:53c4:: with SMTP id i4mr4534789oth.48.1583258162907; Tue, 03 Mar 2020 09:56:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583258162; cv=none; d=google.com; s=arc-20160816; b=Jrwf0nNKO50s54gEtwK+nIAk4FTO3g5DubwmnCM13mM1dFpI14m2mCBPRI4e/VgKS9 ly8FRglexxVZLRO7IFETZFp6fgK2ZU5GNCQrL/qZIySrsWtgdiAQ8/McOsBoIpJicC4Z LzpaMezAbSYvMGgMTQGN6HlnNAqyNR6575zAXb3mnq7x0snmAMuomjPBYFQkmP7Zykp5 qgHCQ/2Ny0ILHIyxYPi5jkpJIZWttRf+85FAcGegBPvP+qvkVHIiZzgsR1e57IHGAoQV kIbtltz4uOQPg7m3Bi+drnZO5vqUeshBAoBoDbLF/gRxnaIJr3hGUszvy4YgVNVeSRDQ uAmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ZYAblPmlgeAppncHRxYHBBOJ0krrlV0nwwydpcZDdXo=; b=GioSDByXG/3vk4hkG2xCbHSsZE8kx8t3qwSCVjIjfcLihAu2f9u8Wi3JUIQzXquadl z2irYP0wdNummdc8J40wOxF3bDoTF54G6/caenkRjSeBKDyjxh/8wVs6Fpob6prphfd5 Uim3mMkmKtFYU40RV+rj4r33xVXaw90yY4mPwSJVZZJIqH3VHQPi8M8qEH7/HmeCjPsh LKxDl7A/FC8Bogp4whDyLbk45ZD+dyX+IRZ6/QNbdVksALtoT9bMzKI4F/ooILVFZRdW r2EPNTbIKRcl4r5OSzEnPrqVoj8ei/0UBgcxKnWSZFfIX0wFroajgemFB4ieVU/TpNuv 5+UA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hDLl79bp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j15si7522613oie.15.2020.03.03.09.55.50; Tue, 03 Mar 2020 09:56:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hDLl79bp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732155AbgCCRyM (ORCPT + 99 others); Tue, 3 Mar 2020 12:54:12 -0500 Received: from mail.kernel.org ([198.145.29.99]:35214 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731424AbgCCRyJ (ORCPT ); Tue, 3 Mar 2020 12:54:09 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9F65B206D5; Tue, 3 Mar 2020 17:54:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1583258049; bh=I9Rn0pAQ2m55hRognCsQ3yUHhtuIvNGNb5qS/PBEijQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hDLl79bpSAIYp26nxx4QdQQfI9Apx5V7pzSh8IbV2TFBLll8pNSg/Wbtrz9liKaxD fPe1GNAo5CK7WjA1SArmWPrhd+fjV1u6ETtO+2/O5qyhBW7L0tmO4qRXW4wxNj9SI0 lJqjYujUmqF2d4iLjk0Tc7tSHv35oNu3YogMnaqE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hangbin Liu , Marcelo Ricardo Leitner , Xin Long , "David S. Miller" Subject: [PATCH 5.4 014/152] sctp: move the format error check out of __sctp_sf_do_9_1_abort Date: Tue, 3 Mar 2020 18:41:52 +0100 Message-Id: <20200303174304.124601765@linuxfoundation.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200303174302.523080016@linuxfoundation.org> References: <20200303174302.523080016@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long [ Upstream commit 245709ec8be89af46ea7ef0444c9c80913999d99 ] When T2 timer is to be stopped, the asoc should also be deleted, otherwise, there will be no chance to call sctp_association_free and the asoc could last in memory forever. However, in sctp_sf_shutdown_sent_abort(), after adding the cmd SCTP_CMD_TIMER_STOP for T2 timer, it may return error due to the format error from __sctp_sf_do_9_1_abort() and miss adding SCTP_CMD_ASSOC_FAILED where the asoc will be deleted. This patch is to fix it by moving the format error check out of __sctp_sf_do_9_1_abort(), and do it before adding the cmd SCTP_CMD_TIMER_STOP for T2 timer. Thanks Hangbin for reporting this issue by the fuzz testing. v1->v2: - improve the comment in the code as Marcelo's suggestion. Fixes: 96ca468b86b0 ("sctp: check invalid value of length parameter in error cause") Reported-by: Hangbin Liu Acked-by: Marcelo Ricardo Leitner Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sctp/sm_statefuns.c | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -170,6 +170,16 @@ static inline bool sctp_chunk_length_val return true; } +/* Check for format error in an ABORT chunk */ +static inline bool sctp_err_chunk_valid(struct sctp_chunk *chunk) +{ + struct sctp_errhdr *err; + + sctp_walk_errors(err, chunk->chunk_hdr); + + return (void *)err == (void *)chunk->chunk_end; +} + /********************************************************** * These are the state functions for handling chunk events. **********************************************************/ @@ -2255,6 +2265,9 @@ enum sctp_disposition sctp_sf_shutdown_p sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + if (!sctp_err_chunk_valid(chunk)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); } @@ -2298,6 +2311,9 @@ enum sctp_disposition sctp_sf_shutdown_s sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + if (!sctp_err_chunk_valid(chunk)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* Stop the T2-shutdown timer. */ sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, SCTP_TO(SCTP_EVENT_TIMEOUT_T2_SHUTDOWN)); @@ -2565,6 +2581,9 @@ enum sctp_disposition sctp_sf_do_9_1_abo sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + if (!sctp_err_chunk_valid(chunk)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + return __sctp_sf_do_9_1_abort(net, ep, asoc, type, arg, commands); } @@ -2582,16 +2601,8 @@ static enum sctp_disposition __sctp_sf_d /* See if we have an error cause code in the chunk. */ len = ntohs(chunk->chunk_hdr->length); - if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) { - struct sctp_errhdr *err; - - sctp_walk_errors(err, chunk->chunk_hdr); - if ((void *)err != (void *)chunk->chunk_end) - return sctp_sf_pdiscard(net, ep, asoc, type, arg, - commands); - + if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) error = ((struct sctp_errhdr *)chunk->skb->data)->cause; - } sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET)); /* ASSOC_FAILED will DELETE_TCB. */