Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2823736pxb; Mon, 1 Nov 2021 02:34:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzNvPIYCaJ0SUX1DY+Qjsc4//0ErnleBhNGhMAe6Yq51LGICQTOjMTIurDfqea177ufRq67 X-Received: by 2002:a02:ac12:: with SMTP id a18mr9308338jao.78.1635759245461; Mon, 01 Nov 2021 02:34:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635759245; cv=none; d=google.com; s=arc-20160816; b=RxbETlOJGIA6yPeCCMvsYD4lauFmLaDTHPvt+lu7OOZwe5CzPr+BTAXbmPI9a5zwpI FzD/467zIFNIA6kJNSUqXGiXs/jlv00IAZ5Vw3MZUasCzbDFgydraPUsB6GJcKuTeS4t RSE8Cy46MKBexkVJb8LREjidY2KBdfLiZx4/35MJYkCuNCQOTK4tKz/0E+Zcipuf88PS 0NsYK6i1bDfOQ5nXcYB9zTbaTZK92MuipoTs7RZL5KyImKcAEfsjRyJnCbMkK8ZaKhic 0xiPd0hOCiuN9+zS0cIJ76U7oTF9qVlQWt88LnXLD+8mMgbOK95w6+jLwxiu6452qloN KJ1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=/+pQpDSMBF2IpcY8rsjaqFI3Uj8kpEcd9P/0OTL73KA=; b=Yyl1XKtRNAKW0xuFG/G5uq1blzrfqnPml1gcj74I6uT/PRNv2JlAv99EKZwUWl+fVV RK0Uiu2O3HspRtfIFfxy48Ze+Eo+37bQe7F97gI/FyvGdcypAM+jNPSaudwr7MCOJ8YV sHiN6UfcOFdq6y1ctn7KRDvykZXWtf3hF82HX74aAWtmAeLR+qC0Agk5/XaTEKoFY09l W2RwH/JgAjbc4FJlvb7GgTWpuoABTk8bX/JDs4l97kA5peaCMXuyC5grTVxKs0DbIZ/e B/GPgadAK3QRCMr9KCzCqoeEOaVH/HEGo+E+yX9s/p+K9qugLIkaxTgCADKDwZIIwPka Gk9w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LrnyuQzG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y4si22674920ilv.58.2021.11.01.02.33.54; Mon, 01 Nov 2021 02:34:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LrnyuQzG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233435AbhKAJd1 (ORCPT + 99 others); Mon, 1 Nov 2021 05:33:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:37076 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232720AbhKAJaQ (ORCPT ); Mon, 1 Nov 2021 05:30:16 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 72F5B61247; Mon, 1 Nov 2021 09:23:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1635758627; bh=AVHRtU6ckLfgiBrvHuwvvAHElUbiXyGEBJ95HRQliwc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LrnyuQzG1Hb4EZx+bO3Sw2ohwATXTugJLRM7n64nwc2hoKvQEJqjoYaQdX0hYxh+i WPqjIpiTQOcXRojav/nZcNd+hanrdAUyZ3RlEdwmoZMfVCUhJzoiZgbvwhp5xmJrEx g81K3aN7u8j11GeC7KFCQ72SIbqNLfQ7n4zmqBEA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xin Long , Marcelo Ricardo Leitner , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.4 42/51] sctp: fix the processing for INIT_ACK chunk Date: Mon, 1 Nov 2021 10:17:46 +0100 Message-Id: <20211101082510.484043277@linuxfoundation.org> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211101082500.203657870@linuxfoundation.org> References: <20211101082500.203657870@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long [ Upstream commit 438b95a7c98f77d51cbf4db021f41b602d750a3f ] Currently INIT_ACK chunk in non-cookie_echoed state is processed in sctp_sf_discard_chunk() to send an abort with the existent asoc's vtag if the chunk length is not valid. But the vtag in the chunk's sctphdr is not verified, which may be exploited by one to cook a malicious chunk to terminal a SCTP asoc. sctp_sf_discard_chunk() also is called in many other places to send an abort, and most of those have this problem. This patch is to fix it by sending abort with the existent asoc's vtag only if the vtag from the chunk's sctphdr is verified in sctp_sf_discard_chunk(). Note on sctp_sf_do_9_1_abort() and sctp_sf_shutdown_pending_abort(), the chunk length has been verified before sctp_sf_discard_chunk(), so replace it with sctp_sf_discard(). On sctp_sf_do_asconf_ack() and sctp_sf_do_asconf(), move the sctp_chunk_length_valid check ahead of sctp_sf_discard_chunk(), then replace it with sctp_sf_discard(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/sctp/sm_statefuns.c | 37 +++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 962b848459f5..80e19f5d1738 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -2280,7 +2280,7 @@ enum sctp_disposition sctp_sf_shutdown_pending_abort( */ if (SCTP_ADDR_DEL == sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) - return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); if (!sctp_err_chunk_valid(chunk)) return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); @@ -2326,7 +2326,7 @@ enum sctp_disposition sctp_sf_shutdown_sent_abort( */ if (SCTP_ADDR_DEL == sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) - return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); if (!sctp_err_chunk_valid(chunk)) return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); @@ -2596,7 +2596,7 @@ enum sctp_disposition sctp_sf_do_9_1_abort( */ if (SCTP_ADDR_DEL == sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest)) - return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); if (!sctp_err_chunk_valid(chunk)) return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); @@ -3745,6 +3745,11 @@ enum sctp_disposition sctp_sf_do_asconf(struct net *net, return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); } + /* Make sure that the ASCONF ADDIP chunk has a valid length. */ + if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk))) + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, + commands); + /* ADD-IP: Section 4.1.1 * This chunk MUST be sent in an authenticated way by using * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk @@ -3753,13 +3758,7 @@ enum sctp_disposition sctp_sf_do_asconf(struct net *net, */ if (!asoc->peer.asconf_capable || (!net->sctp.addip_noauth && !chunk->auth)) - return sctp_sf_discard_chunk(net, ep, asoc, type, arg, - commands); - - /* Make sure that the ASCONF ADDIP chunk has a valid length. */ - if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk))) - return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, - commands); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); hdr = (struct sctp_addiphdr *)chunk->skb->data; serial = ntohl(hdr->serial); @@ -3888,6 +3887,12 @@ enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net, return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); } + /* Make sure that the ADDIP chunk has a valid length. */ + if (!sctp_chunk_length_valid(asconf_ack, + sizeof(struct sctp_addip_chunk))) + return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, + commands); + /* ADD-IP, Section 4.1.2: * This chunk MUST be sent in an authenticated way by using * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk @@ -3896,14 +3901,7 @@ enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net, */ if (!asoc->peer.asconf_capable || (!net->sctp.addip_noauth && !asconf_ack->auth)) - return sctp_sf_discard_chunk(net, ep, asoc, type, arg, - commands); - - /* Make sure that the ADDIP chunk has a valid length. */ - if (!sctp_chunk_length_valid(asconf_ack, - sizeof(struct sctp_addip_chunk))) - return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, - commands); + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data; rcvd_serial = ntohl(addip_hdr->serial); @@ -4475,6 +4473,9 @@ enum sctp_disposition sctp_sf_discard_chunk(struct net *net, { struct sctp_chunk *chunk = arg; + if (asoc && !sctp_vtag_verify(chunk, asoc)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* Make sure that the chunk has a valid length. * Since we don't know the chunk type, we use a general * chunkhdr structure to make a comparison. -- 2.33.0