Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2822816pxb; Mon, 1 Nov 2021 02:32:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwhGlbDehajaIsw3TyQRiwyUWV5drHvY9dNjuZXfc4e7DUKB+uiAWaqwCCss/yHTXbs7seM X-Received: by 2002:a6b:f00d:: with SMTP id w13mr19256746ioc.26.1635759169953; Mon, 01 Nov 2021 02:32:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635759169; cv=none; d=google.com; s=arc-20160816; b=EXID8RBh8Gdfowbk1g84HErXGbcsfSgGjEgeh6pQJ4dZ1uxsKp1iHpVecXrhZXppVE wGi1sWF9cCie+vOkQwGNYaD/8xi3Ikd6T64317e7TJB5R09Y095AnOfuz3qCmiLf1R3G 4Bvxc3vROtWkB42l+Eqi1LMW/cK4HGp9w2yymswLZlaS7ci4xalyHyAsICSycnnfTBr1 X1oVbroR0lPVTWCfaHybQblIypWxuigucqQfyj3juIz48XMXRyEwFX6rL30FisWHvUoH 70/SAz25I17Hep+1Z2YcV2BwEkGR1JI/LGDSmN3P6ev0FIABsUN7oUQf697e3lKYXOLd oQbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=CD2Flx4Ggqj5dcG21ViCxaMNidLqF1GxEI2eSgVzQWk=; b=kmnXmG556refUAV66JtgRKzBFIJb2kOsfHcvtbr5S1K0MYRzoRxHCjUBO1DIbQwL+Y bN8OteIKmctqexf28/0OSQJaZnu9R+8zJnoAmH1H+p8LsJIQppcQzugqluhWN3SnVztp Xn5ReaJAgKM8ip0WS/U+KzGyrnqIAptzHWxxhg70vGB20+4Oalnkqza4UqaymzWHq23x UbWPpaDYyP2+lN53x9MmAcPuF9j2p0DKkjMgJ/B+C6S3Vz4sLtCaKpR0YG60RvjP4Zg3 p9g2blQ4HT7qQLDaT3l8/JQ+vKCmNGAgNebpt89c2FR0KfAV1fWwmbEEgPOZll3/v1GY /eSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YBPvelFh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b12si16992807jav.10.2021.11.01.02.32.38; Mon, 01 Nov 2021 02:32:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=YBPvelFh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232490AbhKAJeV (ORCPT + 99 others); Mon, 1 Nov 2021 05:34:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:37168 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232829AbhKAJaX (ORCPT ); Mon, 1 Nov 2021 05:30:23 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 206FD61221; Mon, 1 Nov 2021 09:23:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1635758632; bh=M8rjZj00TruxZUTpzsonvBIVGc+5pd5B/scd8NR4j5M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YBPvelFh4qBkWO0yP0LGSO5QE+Rt5qIoKOM1E5Cfp9lPheIAB2jxI9z8LTKkyqf2R 0/y9QhHbE6kq8VHKUxwUrjDVNAkuDISt3DWR2zJbum5ONVH6KlNz4F+3dm0bPqphRm qwKb2hmawB8aZHbWPKJjBtiAQAx79xpjZIpmdPjY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xin Long , Marcelo Ricardo Leitner , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.4 44/51] sctp: add vtag check in sctp_sf_violation Date: Mon, 1 Nov 2021 10:17:48 +0100 Message-Id: <20211101082510.950517587@linuxfoundation.org> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211101082500.203657870@linuxfoundation.org> References: <20211101082500.203657870@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long [ Upstream commit aa0f697e45286a6b5f0ceca9418acf54b9099d99 ] sctp_sf_violation() is called when processing HEARTBEAT_ACK chunk in cookie_wait state, and some other places are also using it. The vtag in the chunk's sctphdr should be verified, otherwise, as later in chunk length check, it may send abort with the existent asoc's vtag, which can be exploited by one to cook a malicious chunk to terminate a SCTP asoc. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/sctp/sm_statefuns.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 1e3f6be5bab9..35701acbed73 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -4549,6 +4549,9 @@ enum sctp_disposition sctp_sf_violation(struct net *net, { struct sctp_chunk *chunk = arg; + if (!sctp_vtag_verify(chunk, asoc)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* Make sure that the chunk has a valid length. */ if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, -- 2.33.0