Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2836949pxb; Mon, 1 Nov 2021 02:54:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyoUZ38YtQAWk8kONAX8w2g7ZWLhztsXoJDznFWwKvXmKxQF7tEqbTzPgv5cF992k3QOEKM X-Received: by 2002:a05:6638:2641:: with SMTP id n1mr10218464jat.87.1635760449983; Mon, 01 Nov 2021 02:54:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635760449; cv=none; d=google.com; s=arc-20160816; b=zMdPGgEADIW/Y+q/gPNM3HkGBprxAObKO/zyIRLDleqQa8wamh1ULpytn6PIpgofG9 S3Ekxa5BVKSjuqTb8RbSG41D9TbFzzb1sPOQ+XVMAzyKun2XafCdLmRKytNqXboS2WBR hVLuIlbzmx8aY0CxjZviidYJMuSfMCH6ZpaFX9jdieJGsGAPc2ACmh0SAQmx0YWpwUtO WrT6x/i+Dt8JUfj8F7mm/njuAXzYdVchJk9zFdP3ujbLdRFOjE+0ENuk/dyhYSLXEfg/ utpjQ6SdBfJ6M8e0CuYpz1xfSYQF2EvUah8Ymni7aPNM8EHgQPfKP5tKkY4W8YHJVJdZ yJ8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ToYQ2mV+DLcWj3KidXsM5jPQekHthd0rx6/U82L4vpU=; b=xIK+7Sf8Pe2qZjM6B3/tBExi6oJsXW2PfzafDo8KVxocLn7p4c/U7XYKeH2ErN5oaU r1aGS40NZ2opqSrIuYnBX2gqer2ioiIOewH+FuC1LS95fuNriies3fLMq3QCT08MAb4w jKEMXb9Mb5Kg9cdWN2J7EnRjVKomVFvh+KVgKaIefy5y5wP0Du/S2REToybC4cvVtuMX C0x08r8YDM9GYvqYztJZZ3nQAyxr/lRbOWvjGLmDx6YJD8JJQwyXWYKSJQf0W/urHebQ oifdRzCOUOh+jIDxmA88sPhLkpnAj3+OtonkKo1mHTsnWQ4d8lgwlg7zijYpC5u0dLf6 xB+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jTYg+1Gv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b69si15285793jab.32.2021.11.01.02.53.58; Mon, 01 Nov 2021 02:54:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jTYg+1Gv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234917AbhKAJxU (ORCPT + 99 others); Mon, 1 Nov 2021 05:53:20 -0400 Received: from mail.kernel.org ([198.145.29.99]:51108 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234739AbhKAJss (ORCPT ); Mon, 1 Nov 2021 05:48:48 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 6EE7F611C7; Mon, 1 Nov 2021 09:31:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1635759089; bh=Pzq1mYHCjP8Msfr/IriVrDsx9F29hH9X8jNfLKF+R0Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jTYg+1GvRCvbayvi5e0FvX3nMMl5wZ+0kqGbIuWOJZUaMRI2zNcH141hN74A251qn v75LzFoURucqE4c5s3lWISpZNhw2mr6e7hUkSxeaEvi8i/UrcqOuHzi7DGnKx5d4ll y7Aoj+VF2bT/wTwYS+EqEmOSZ0E9gf74MF/tXFj8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xin Long , Marcelo Ricardo Leitner , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.14 103/125] sctp: add vtag check in sctp_sf_violation Date: Mon, 1 Nov 2021 10:17:56 +0100 Message-Id: <20211101082552.620514441@linuxfoundation.org> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211101082533.618411490@linuxfoundation.org> References: <20211101082533.618411490@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long [ Upstream commit aa0f697e45286a6b5f0ceca9418acf54b9099d99 ] sctp_sf_violation() is called when processing HEARTBEAT_ACK chunk in cookie_wait state, and some other places are also using it. The vtag in the chunk's sctphdr should be verified, otherwise, as later in chunk length check, it may send abort with the existent asoc's vtag, which can be exploited by one to cook a malicious chunk to terminate a SCTP asoc. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/sctp/sm_statefuns.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 96a069d725e9..36328ab88bdd 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -4669,6 +4669,9 @@ enum sctp_disposition sctp_sf_violation(struct net *net, { struct sctp_chunk *chunk = arg; + if (!sctp_vtag_verify(chunk, asoc)) + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands); + /* Make sure that the chunk has a valid length. */ if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, -- 2.33.0