Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2828033pxb; Mon, 1 Nov 2021 02:40:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy350kfXjXgAbPmeoi121+MLkRJ73S6o0IGmmrUL9zDtt7RGn7bDLho32K6e6un/gGZAe6o X-Received: by 2002:a50:d4cd:: with SMTP id e13mr39106690edj.29.1635759619590; Mon, 01 Nov 2021 02:40:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635759619; cv=none; d=google.com; s=arc-20160816; b=ff2tb1ZOr0fRzveHQniJd/u63SiGmschTbx9sJQknkkEgIxbiq4T4Jzs/perBWJsq6 aBhlHSK2IhzgRqWcCEDBq6UMJoOVvBAS25cmdJUUEOIBBTXxW/L74boWKilg2YkOS9sc PCf/6U8tlwcfpAVGHP7aY4BNHA1ZcSSqpg64fnDHk7u6SlCYWIsSCitCyJNY3AssI2xX VyzHqLoqJ1aB2s7Z3wk/e85WHzok7LteZrdBAuesj2sz7gwQSpbj9X7YyEDkYpSYeIjQ p34971MejCnmdGkHUq8NbKz2/5HJjVASGzl+S/RNwAXGaXPtql5Tb7n2ZpQ0CBSOeDGm DFAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=DSatZw2EyoBhNpvB8l41dq8QEEIB134iMgF/jwhpOU8=; b=KGuqBt5l22J9i74wysGBFsKJhQIAyDm6nCVof9ej/Aa8Y8OUPNBXKGGUeKAbR+5+H6 lzMt3Pb0GSHeuTsz0Z3xt5PfOfQOQQcqG9pAUjqHSQwGazquVeZXzqGkAQOFdQ9/s6k2 s5ZVKmXhsrSGbhKE6ipAX76tCv3vsVaZcJyKAoqvClfxCQHNSBtRSodG1PPbD1026nzJ por8ZEikOL5VVbnnOQNxXfWMh6uYa2YuKljlWmNWv/tMj7ogmwyh8QD0elltznREKMW3 rveSntob4WZwi+hdn82ySwxfAJlowXliURngU2CKUiJBYfg/77H4fUpKvtkNlU7Jml8h C20A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=b0G5HI8G; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z4si26029510edb.398.2021.11.01.02.39.55; Mon, 01 Nov 2021 02:40:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=b0G5HI8G; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233806AbhKAJkd (ORCPT + 99 others); Mon, 1 Nov 2021 05:40:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:43822 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233348AbhKAJiK (ORCPT ); Mon, 1 Nov 2021 05:38:10 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 9FC2E61105; Mon, 1 Nov 2021 09:27:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1635758833; bh=EpP5/6vELP/3BSrpr7NTblmBStj2LabWqn4CBuIWCZ8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=b0G5HI8G5Rr/7xnVaDWBGvroG/m6S4ypFHyFX3vCp6/9/9bdIYiRD490ry0xDMaVA a1xEvLHAFzUiejDP2YcKpO9muEIfCV+zHFU9rGCipBOgxfCVMRV7czpNzJSogAN3nU qwSOKl4ItykiQ48RFNJkYUQQhHOppRHQKgV2k04M= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xin Long , Marcelo Ricardo Leitner , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.10 70/77] sctp: add vtag check in sctp_sf_ootb Date: Mon, 1 Nov 2021 10:17:58 +0100 Message-Id: <20211101082526.215677294@linuxfoundation.org> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211101082511.254155853@linuxfoundation.org> References: <20211101082511.254155853@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long [ Upstream commit 9d02831e517aa36ee6bdb453a0eb47bd49923fe3 ] sctp_sf_ootb() is called when processing DATA chunk in closed state, and many other places are also using it. The vtag in the chunk's sctphdr should be verified, otherwise, as later in chunk length check, it may send abort with the existent asoc's vtag, which can be exploited by one to cook a malicious chunk to terminate a SCTP asoc. When fails to verify the vtag from the chunk, this patch sets asoc to NULL, so that the abort will be made with the vtag from the received chunk later. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/sctp/sm_statefuns.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 82a76fda226b..096e6be1d8fc 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -3568,6 +3568,9 @@ enum sctp_disposition sctp_sf_ootb(struct net *net, SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES); + if (asoc && !sctp_vtag_verify(chunk, asoc)) + asoc = NULL; + ch = (struct sctp_chunkhdr *)chunk->chunk_hdr; do { /* Report violation if the chunk is less then minimal */ -- 2.33.0